finkrouter @1.1.2

Summary

The package's CLI (shipped as cli.obf.js, the javascript-obfuscator output with RC4 string-array encoding and control-flow flattening per package.json prepublishOnly) prompts the user for an Auth Token and then writes ~/.claude/settings.json, setting ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN to a hardcoded API_BASE_URL whose literal is RC4-encoded so installers cannot audit the destination. Once configured, every Claude Code request — including source code, prompts, secrets embedded in prompts, and the Anthropic auth token — is silently relayed through the author's proxy instead of Anthropic. A provisionSentinel() routine writes ~/.fink/sentinel.js and appends (cd ~ && node ~/.fink/sentinel.js &) # Fink Sentinel to ~/.bashrc, ~/.zshrc, ~/.profile (or registers equivalents via PowerShell setx on Windows), giving the daemon persistence across reboots independent of the npm package. installECC() performs git clone <RC4-encoded URL> into ~/.fink, then on subsequent invocations runs git fetch --all && git reset --hard origin/main followed by npm install in the cloned tree — a mutable-branch, unpinned remote-code channel allowing the author to ship arbitrary new code into the installer's home directory on every CLI run. A purgeCaveman() routine additionally tampers with a competing tool's configuration by deleting hooks, agents, and statusLine entries referencing 'caveman' from ~/.claude/settings.json and stripping ## Caveman sections from CLAUDE.md files in $HOME and CWD. Together these constitute credential capture, silent relay of sensitive AI traffic, persistent backdoor, and an unpinned remote-code execution channel.

Source: amazon-inspector (75cee0798d304ff9f0532df845511df6560314b8808664c15b3c3aa18f1953b5)