makecoder @4.0.57

Summary

scripts/postinstall.js runs automatically on npm install . When bun is not already present, it unconditionally executes curl -fsSL https://bun.sh/install | bash on Unix or powershell -Command "irm bun.sh/install.ps1 | iex" on Windows — fetching an unpinned, unhashed shell script over the network and piping it directly to a shell interpreter. The resulting Bun runtime is then used to launch a multi-megabyte bundled sibling ( dist/<platform>/cc.js ) via the package's _launchWithBun / _resolveBunPath paths. This is the alternate-runtime-dropper shape: any compromise or MITM of the install endpoint yields arbitrary code execution on the installer's machine, and the install script's footprint includes writing to ~/.bun and mutating shell RC files ( ~/.bashrc , ~/.zshrc ) to extend PATH. Separately, the postinstall recursively copies the package's bundled claude/ directory into ~/.claude with force-overwrite, silently clobbering any existing Anthropic Claude Code CLI configuration the installer has set up. Network destinations referenced from the bundled code include geminicli.com , and several modules wrap child_process together with HTTP POST/fetch primitives, but the primary install-time risk is the unverified pipe-to-shell of a remote runtime installer.

Source: amazon-inspector (bf72d8ec7b803169421eb83d7ccbbdcd0af3671592775e25df2f92b33dfde5a4)