registry  /  bingocode  /  1.1.183

bingocode@1.1.183

BingoCode - AI-powered coding assistant CLI built on Claude

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package mutates the Claude/AI-agent control surface at npm install time by dropping a package-supplied skill into the user's Claude config. Runtime wrappers also impersonate the claude command and write Claude config defaults that route Anthropic traffic to a local Bingo service.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install runs postinstall; invoking claude/bingo/bingocode runs bin wrappers
Impact
Can alter future Claude agent behavior and tool-use norms outside the package execution context; can intercept expected claude CLI usage through the package bin.
Mechanism
unconsented AI-agent skill installation and Claude CLI wrapper/config mutation
Attack narrative
On installation, postinstall copies bundled skills from the package into the user's global Claude skills directory. The installed leanchy skill contains behavioral instructions for agent communication and engineering workflow, so the package changes an AI-agent control surface outside normal package runtime. The package also exposes a claude binary and wrapper scripts that deploy ~/.claude/bingo/settings.json, steering Anthropic API configuration to a localhost service.
Rationale
Install-time writes into ~/.claude/skills are an unconsented AI-agent control-surface mutation, and the package also registers a claude binary plus Claude config defaults. Even without confirmed credential exfiltration, this is concrete malicious behavior for an upstream firewall. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/install-skills.cjs.claude/skills/leanchy/SKILL.md.claude/settings.local.jsonbin/claudebin/claude-win.cjsbin/bingobin/bingo-win.cjsbin/bingocode-win.cjsconfig/bingo-defaults/settings.json~/.claude/skills/leanchy/SKILL.md~/.claude/bingo/settings.json
Network endpoints3
127.0.0.1:3456127.0.0.1:3456/healthwss://api.anthropic.com/v1/sessions/ws/{sessionId}/subscribe?organization_uuid=...

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install-skills.cjs.
  • scripts/install-skills.cjs copies bundled .claude/skills/* into $CLAUDE_CONFIG_DIR or ~/.claude/skills during install.
  • .claude/skills/leanchy/SKILL.md is an AI-agent behavior protocol, installed without a user invocation path.
  • package ships bin name "claude" pointing to bin/claude-win.cjs/bin/claude, creating a Claude CLI impersonation/control surface.
  • bin/claude and bin/bingocode-win.cjs write default config to ~/.claude/bingo/settings.json pointing ANTHROPIC_BASE_URL at localhost.
  • .claude/settings.local.json contains package-local Claude permission allow rules for bash/read commands.
Evidence against
  • No credential exfiltration code confirmed in inspected install script or bin wrappers.
  • Observed network endpoints are mostly local proxy/health checks or Anthropic-aligned service URLs.
  • Bundled native rg.exe appears to be a ripgrep utility dependency artifact.
  • Postinstall skips if .claude/skills is absent and does not overwrite existing skill directories.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2,163 file(s), 30.5 MB of source, external domains: 1.1.1.1, 127.0.0.1, anthropic.com, api-staging.anthropic.com, api.anthropic.com, api.example.com, api.telegram.org, app.corridor.dev, apps.apple.com, artifactory.infra.ant.dev, beacon.claude-ai.staging.ant.dev, clau.de, claude-ai.staging.ant.dev, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, cli.github.com, code.claude.com, cognitiveservices.azure.com, docs.anthropic.com, docs.claude.com, downloads.claude.ai, evil.com, example.com, fonts.googleapis.com, git-scm.com, github.com, hooks.example.com, http-intake.logs.us5.datadoghq.com, json.schemastore.org, mcp-proxy-staging.anthropic.com, mcp-proxy.anthropic.com, mcp.example.com, mcp.sentry.dev, mlaas.games.com, open.feishu.cn, platform.claude.com, platform.staging.ant.dev, play.google.com, pypi.tuna.tsinghua.edu.cn, raw.githubusercontent.com, s3-frontend.infra.ant.dev, slack.com, storage.googleapis.com, support.anthropic.com, support.claude.com, tauri.localhost, www.anthropic.com, www.apple.com

Source & flagged code

16 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skills.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/utils/powershell/parser.tsView file
1343patternName = generic_password severity = medium line = 1343 matchedText = pwd: '...
Medium
Secret Pattern

Package contains a possible secret pattern.

src/utils/powershell/parser.tsView on unpkg · L1343
bin/claude-win.cjsView file
2L3: const { spawn } = require('node:child_process'); L4: const path = require('path');
High
Child Process

Package source references child process execution.

bin/claude-win.cjsView on unpkg · L2
matchType = normalized_sha256 matchedPackage = bingocode@1.1.182 matchedPath = bin/bingocode-win.cjs matchedIdentity = npm:YmluZ29jb2Rl:1.1.182 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/claude-win.cjsView on unpkg
src/utils/imagePaste.tsView file
2import { randomBytes } from 'crypto' L3: import { execa } from 'execa' L4: import { basename, extname, isAbsolute, join } from 'path'
High
Shell

Package source references shell execution.

src/utils/imagePaste.tsView on unpkg · L2
src/utils/plugins/mcpbHandler.tsView file
4} from '@anthropic-ai/mcpb' L5: import axios from 'axios' L6: import { createHash } from 'crypto' ... L11: import { [redacted] } from '../dxt/helpers.js' L12: import { parseZipModes, unzipFile } from '../dxt/zip.js' L13: import { errorMessage, getErrnoCode, isENOENT, toError } from '../errors.js' ... L92: */ L93: function generateContentHash(data: Uint8Array): string { L94: return createHash('sha256').update(data).digest('hex').substring(0, 16)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/utils/plugins/mcpbHandler.tsView on unpkg · L4
src/utils/deepLink/registerProtocol.tsView file
40// in lockstep — drift here means the check returns a perpetual false. L41: const MACOS_APP_DIR = path.join(os.homedir(), 'Applications', MACOS_APP_NAME) L42: const MACOS_SYMLINK_PATH = path.join( ... L219: L220: switch (process.platform) { L221: case 'darwin': ... L276: case 'win32': { L277: const { stdout, code } = await execFileNoThrow( L278: 'reg',
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/utils/deepLink/registerProtocol.tsView on unpkg · L40
src/utils/ide.tsView file
1354async (isIdeRunningInWindows: boolean, port: number) => { L1355: if (process.env.CLAUDE_CODE_IDE_HOST_OVERRIDE) { L1356: return process.env.CLAUDE_CODE_IDE_HOST_OVERRIDE ... L1364: // Windows, then we must use a different IP address to connect to the extension. L1365: // https://learn.microsoft.com/en-us/windows/wsl/networking L1366: try { L1367: const routeResult = await execa('ip route show | grep -i default', { L1368: shell: true,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/utils/ide.tsView on unpkg · L1354
scripts/install-skills.cjsView file
2Install-time AI-agent control hijack evidence: L2: /** L3: * postinstall: copy bundled skills from .claude/skills/ → ~/.claude/skills/ L4: * ... L20: const pkgRoot = path.resolve(__dirname, '..') L21: const srcSkillsDir = path.join(pkgRoot, '.claude', 'skills') L22: const dstSkillsDir = path.join( L23: process.env.CLAUDE_CONFIG_DIR || path.join(home, '.claude'), L24: 'skills', ... L36: try { L37: fs.mkdirSync(dst, { recursive: true }) L38: const src = path.join(srcSkillsDir, skill) L39: for (const file of fs.readdirSync(src)) { Payload evidence from src/components/mcp/MCPSettings.tsx: L149: if (servers.length === 0 && agentMcpServers.length === 0) { L150: onComplete("No MCP servers configured. Please run /doctor if this is unexpected. Otherwise, run `claude mcp --help` or visit https://code.claude.com/docs/en/mcp to learn more."); L151: } ... L397: } L398: //# sourceMappingURL=data:application/json;charset=utf-8;base64,[redacted]...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skills.cjsView on unpkg · L2
bin/bingo-win.cjsView file
87L88: // 安装 bun(通过 npm install -g bun) L89: function installBun() { ... L92: try { L93: const npmResult = spawnSync( L94: 'npm.cmd',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/bingo-win.cjsView on unpkg · L87
matchType = normalized_sha256 matchedPackage = bingocode@1.1.182 matchedPath = bin/bingo-win.cjs matchedIdentity = npm:YmluZ29jb2Rl:1.1.182 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/bingo-win.cjsView on unpkg
src/utils/vendor/ripgrep/x64-win32/rg.exeView file
path = src/utils/vendor/ripgrep/x64-win32/rg.exe kind = native_binary sizeBytes = 4266496 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

src/utils/vendor/ripgrep/x64-win32/rg.exeView on unpkg
runtime/win_helper.pyView file
path = runtime/win_helper.py kind = build_helper sizeBytes = 26350 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/win_helper.pyView on unpkg
bin/bingocode-win.cjsView file
matchType = normalized_sha256 matchedPackage = bingocode@1.1.182 matchedPath = bin/bingocode-win.cjs matchedIdentity = npm:YmluZ29jb2Rl:1.1.182 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/bingocode-win.cjsView on unpkg
src/main.tsxView file
matchType = normalized_sha256 matchedPackage = bingocode@1.1.182 matchedPath = src/main.tsx matchedIdentity = npm:YmluZ29jb2Rl:1.1.182 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/main.tsxView on unpkg
src/tools/SkillTool/SkillTool.tsView file
matchType = normalized_sha256 matchedPackage = bingocode@1.1.182 matchedPath = src/tools/SkillTool/SkillTool.ts matchedIdentity = npm:YmluZ29jb2Rl:1.1.182 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/tools/SkillTool/SkillTool.tsView on unpkg

Findings

1 Critical10 High7 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skills.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/claude-win.cjs
HighShellsrc/utils/imagePaste.ts
HighSame File Env Network Executionsrc/utils/ide.ts
HighRuntime Package Installbin/bingo-win.cjs
HighKnown Malware Source Similaritybin/bingo-win.cjs
HighKnown Malware Source Similaritybin/bingocode-win.cjs
HighKnown Malware Source Similaritybin/claude-win.cjs
HighKnown Malware Source Similaritysrc/main.tsx
HighKnown Malware Source Similaritysrc/tools/SkillTool/SkillTool.ts
MediumSecret Patternsrc/utils/powershell/parser.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/utils/deepLink/registerProtocol.ts
MediumShips Native Binarysrc/utils/vendor/ripgrep/x64-win32/rg.exe
MediumShips Build Helperruntime/win_helper.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/utils/plugins/mcpbHandler.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings