@wengine-ai/claude-code-router-shared @2.0.41

Summary

dist/index.js line 14 issues a fetch() call to https://pub-0dc3e1677e894f07bbea11b17a29e032.r2.dev, an anonymous Cloudflare R2 bucket, and references process.platform and process.versions to select a platform-specific payload. Anonymous *.r2.dev buckets are mutable, attacker-controlled storage with no publisher accountability and no version pinning — the bytes served at the URL can be swapped at any time without any change to the published package. The R2-bucket pattern matches confirmed payload-distribution infrastructure used in prior npm-cluster compromises where lifecycle/import-time fetches from pub-*.r2.dev hosts dropped platform-native binaries onto installer machines. Combined with platform-fingerprinting (process.platform, process.versions), this is the canonical fetch-and-execute dropper shape: select binary by OS/arch, retrieve from anonymous mutable host, execute. Installing or loading this package exposes the installer to arbitrary attacker-controlled code execution.

Source: amazon-inspector (45e362000d036139e02a066a82ec157314a07796e0e855cdce184cc081ca4591)