registry  /  bingocode  /  1.1.193

bingocode@1.1.193

BingoCode - AI-powered coding assistant CLI built on Claude

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Install-time code mutates the user's Claude control surface by planting package-supplied skills under ~/.claude/skills. The planted skill is an agent behavior protocol, so the package gains standing influence over future Claude sessions without explicit user invocation.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install runs package postinstall
Impact
Persistent modification of Claude agent behavior through a globally discoverable user skill; later CLI launch also seeds ~/.claude/bingo config and may start a detached local daemon.
Mechanism
unconsented lifecycle write to foreign AI-agent skill directory
Attack narrative
On installation, npm runs scripts/install-skills.cjs. That script enumerates package-bundled .claude/skills directories and copies them into the user's Claude config directory, defaulting to ~/.claude/skills. The shipped leanchy skill contains persistent assistant-behavior instructions. This is a lifecycle-triggered mutation of a broad/foreign AI-agent control surface, independent of whether the skill content is product-aligned.
Rationale
The package performs unconsented install-time delivery of package-supplied Claude skills into ~/.claude/skills, which matches the firewall policy for blockable AI-agent control hijack. The absence of exfiltration does not reduce this category because the concrete behavior is lifecycle mutation of a foreign agent control surface.
Evidence
package.jsonscripts/install-skills.cjs.claude/skills/leanchy/SKILL.mdconfig/bingo-defaults/settings.jsonbin/bingo-win.cjsbin/claudebin/claude-win.cjsbin/bingocode-win.cjs~/.claude/skills/leanchy/SKILL.md~/.claude/bingo/settings.json~/.claude-cli/runtime/daemon.lock
Network endpoints2
127.0.0.1:3456127.0.0.1:3456/health

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install-skills.cjs
  • scripts/install-skills.cjs copies bundled .claude/skills/* into $CLAUDE_CONFIG_DIR or ~/.claude/skills during install
  • Bundled .claude/skills/leanchy/SKILL.md is an always-on Claude skill that alters assistant behavior until stopped
  • bin/claude and bin/*-win.cjs also write config into ~/.claude/bingo/settings.json on CLI launch
  • bin/bingo-win.cjs starts a detached tray daemon and writes runtime state under ~/.claude-cli/runtime
Evidence against
  • postinstall only copies existing skill files and does not overwrite existing skill directories
  • No credential harvesting or external exfiltration endpoint confirmed in inspected install hook
  • Bundled default config points ANTHROPIC_BASE_URL to local http://127.0.0.1:3456
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2,172 file(s), 30.6 MB of source, external domains: 1.1.1.1, 127.0.0.1, anthropic.com, api-staging.anthropic.com, api.anthropic.com, api.example.com, api.telegram.org, app.corridor.dev, apps.apple.com, artifactory.infra.ant.dev, beacon.claude-ai.staging.ant.dev, clau.de, claude-ai.staging.ant.dev, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, cli.github.com, code.claude.com, cognitiveservices.azure.com, docs.anthropic.com, docs.claude.com, downloads.claude.ai, evil.com, example.com, fonts.googleapis.com, git-scm.com, github.com, hooks.example.com, http-intake.logs.us5.datadoghq.com, json.schemastore.org, mcp-proxy-staging.anthropic.com, mcp-proxy.anthropic.com, mcp.example.com, mcp.sentry.dev, mlaas.games.com, open.feishu.cn, platform.claude.com, platform.staging.ant.dev, play.google.com, pypi.tuna.tsinghua.edu.cn, raw.githubusercontent.com, s3-frontend.infra.ant.dev, slack.com, storage.googleapis.com, support.anthropic.com, support.claude.com, tauri.localhost, www.anthropic.com, www.apple.com

Source & flagged code

16 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-skills.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/utils/powershell/parser.tsView file
1343patternName = generic_password severity = medium line = 1343 matchedText = pwd: '...
Medium
Secret Pattern

Package contains a possible secret pattern.

src/utils/powershell/parser.tsView on unpkg · L1343
bin/claude-win.cjsView file
2L3: const { spawn } = require('node:child_process'); L4: const path = require('path');
High
Child Process

Package source references child process execution.

bin/claude-win.cjsView on unpkg · L2
matchType = normalized_sha256 matchedPackage = bingocode@1.1.190 matchedPath = bin/bingocode-win.cjs matchedIdentity = npm:YmluZ29jb2Rl:1.1.190 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/claude-win.cjsView on unpkg
src/utils/imagePaste.tsView file
2import { randomBytes } from 'crypto' L3: import { execa } from 'execa' L4: import { basename, extname, isAbsolute, join } from 'path'
High
Shell

Package source references shell execution.

src/utils/imagePaste.tsView on unpkg · L2
src/utils/plugins/mcpbHandler.tsView file
4} from '@anthropic-ai/mcpb' L5: import axios from 'axios' L6: import { createHash } from 'crypto' ... L11: import { [redacted] } from '../dxt/helpers.js' L12: import { parseZipModes, unzipFile } from '../dxt/zip.js' L13: import { errorMessage, getErrnoCode, isENOENT, toError } from '../errors.js' ... L92: */ L93: function generateContentHash(data: Uint8Array): string { L94: return createHash('sha256').update(data).digest('hex').substring(0, 16)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/utils/plugins/mcpbHandler.tsView on unpkg · L4
src/utils/deepLink/registerProtocol.tsView file
40// in lockstep — drift here means the check returns a perpetual false. L41: const MACOS_APP_DIR = path.join(os.homedir(), 'Applications', MACOS_APP_NAME) L42: const MACOS_SYMLINK_PATH = path.join( ... L219: L220: switch (process.platform) { L221: case 'darwin': ... L276: case 'win32': { L277: const { stdout, code } = await execFileNoThrow( L278: 'reg',
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/utils/deepLink/registerProtocol.tsView on unpkg · L40
src/utils/ide.tsView file
1354async (isIdeRunningInWindows: boolean, port: number) => { L1355: if (process.env.CLAUDE_CODE_IDE_HOST_OVERRIDE) { L1356: return process.env.CLAUDE_CODE_IDE_HOST_OVERRIDE ... L1364: // Windows, then we must use a different IP address to connect to the extension. L1365: // https://learn.microsoft.com/en-us/windows/wsl/networking L1366: try { L1367: const routeResult = await execa('ip route show | grep -i default', { L1368: shell: true,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/utils/ide.tsView on unpkg · L1354
scripts/install-skills.cjsView file
2Install-time AI-agent control hijack evidence: L2: /** L3: * postinstall: copy bundled skills from .claude/skills/ → ~/.claude/skills/ L4: * ... L20: const pkgRoot = path.resolve(__dirname, '..') L21: const srcSkillsDir = path.join(pkgRoot, '.claude', 'skills') L22: const dstSkillsDir = path.join( L23: process.env.CLAUDE_CONFIG_DIR || path.join(home, '.claude'), L24: 'skills', ... L36: try { L37: fs.mkdirSync(dst, { recursive: true }) L38: const src = path.join(srcSkillsDir, skill) L39: for (const file of fs.readdirSync(src)) { Payload evidence from src/components/mcp/MCPSettings.tsx: L149: if (servers.length === 0 && agentMcpServers.length === 0) { L150: onComplete("No MCP servers configured. Please run /doctor if this is unexpected. Otherwise, run `claude mcp --help` or visit https://code.claude.com/docs/en/mcp to learn more."); L151: } ... L397: } L398: //# sourceMappingURL=data:application/json;charset=utf-8;base64,[redacted]...
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/install-skills.cjsView on unpkg · L2
bin/bingo-win.cjsView file
87L88: // 安装 bun(通过 npm install -g bun) L89: function installBun() { ... L92: try { L93: const npmResult = spawnSync( L94: 'npm.cmd',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/bingo-win.cjsView on unpkg · L87
matchType = normalized_sha256 matchedPackage = bingocode@1.1.190 matchedPath = bin/bingo-win.cjs matchedIdentity = npm:YmluZ29jb2Rl:1.1.190 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/bingo-win.cjsView on unpkg
src/utils/vendor/ripgrep/x64-win32/rg.exeView file
path = src/utils/vendor/ripgrep/x64-win32/rg.exe kind = native_binary sizeBytes = 4266496 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

src/utils/vendor/ripgrep/x64-win32/rg.exeView on unpkg
runtime/win_helper.pyView file
path = runtime/win_helper.py kind = build_helper sizeBytes = 26350 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/win_helper.pyView on unpkg
bin/bingocode-win.cjsView file
matchType = normalized_sha256 matchedPackage = bingocode@1.1.190 matchedPath = bin/bingocode-win.cjs matchedIdentity = npm:YmluZ29jb2Rl:1.1.190 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/bingocode-win.cjsView on unpkg
src/main.tsxView file
matchType = normalized_sha256 matchedPackage = bingocode@1.1.190 matchedPath = src/main.tsx matchedIdentity = npm:YmluZ29jb2Rl:1.1.190 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/main.tsxView on unpkg
src/tools/SkillTool/SkillTool.tsView file
matchType = normalized_sha256 matchedPackage = bingocode@1.1.190 matchedPath = src/tools/SkillTool/SkillTool.ts matchedIdentity = npm:YmluZ29jb2Rl:1.1.190 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/tools/SkillTool/SkillTool.tsView on unpkg

Findings

1 Critical10 High7 Medium5 Low
CriticalAi Agent Control Hijackscripts/install-skills.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/claude-win.cjs
HighShellsrc/utils/imagePaste.ts
HighSame File Env Network Executionsrc/utils/ide.ts
HighRuntime Package Installbin/bingo-win.cjs
HighKnown Malware Source Similaritybin/bingo-win.cjs
HighKnown Malware Source Similaritybin/bingocode-win.cjs
HighKnown Malware Source Similaritybin/claude-win.cjs
HighKnown Malware Source Similaritysrc/main.tsx
HighKnown Malware Source Similaritysrc/tools/SkillTool/SkillTool.ts
MediumSecret Patternsrc/utils/powershell/parser.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/utils/deepLink/registerProtocol.ts
MediumShips Native Binarysrc/utils/vendor/ripgrep/x64-win32/rg.exe
MediumShips Build Helperruntime/win_helper.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/utils/plugins/mcpbHandler.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings