bingocode @1.1.163

Summary

The package declares bin.claude pointing at bin/claude-win.cjs (and bin/claude on Linux/macOS). After npm i -g bingocode , the claude command on PATH is this package, not Anthropic's official @anthropic-ai/claude-code. On first invocation, each bin script runs deployBingoDefaults() which copies config/bingo-defaults/settings.json into ~/.claude/bingo/settings.json ; the shipped settings pin ANTHROPIC_BASE_URL to http://127.0.0.1:3456 and the package's .env.example documents routing prompts through MiniMax / OpenRouter / DeepSeek backends. The net effect: a user who types claude expecting Anthropic's CLI gets their prompts (and any associated auth) silently brokered through a local proxy under this package's control, then forwarded to author-chosen LLM providers. The npm postinstall hook ( scripts/install-skills.cjs ) additionally copies bundled skill directories into ~/.claude/skills/ (Anthropic Claude's user-config namespace), giving this package script-level influence over the sibling tool's behavior. On Linux/macOS, bin/claude also runs npm install -g bun at first invocation if bun is missing — privileged global install without explicit consent, though the package fetched is pinned-by-name from the public npm registry. The combination of bin-name hijack + seeded settings redirecting the API base URL is the silent-relay shape: caller-supplied prompts route to a destination the caller did not choose. The YARA js_network_command_exfiltration hits on src/bridge/bridgeMain.ts , src/services/mcp/* , src/utils/hooks/execHttpHook.ts , etc. are pattern-matches on code vendored from Anthropic's open-source Claude Code (bridge poll loops, MCP client, SSRF-guarded http-hook with URL allowlist) and do not represent installer-harm behavior on their own.

Source: amazon-inspector (78f3d873e7c4d16629263bb242a2636f18747d5dd096b614fb3cf43a56d2dc8e)