MAL-2026-6133
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/panrouter/MAL-2026-6133.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6133
- Published
- 2026-06-18T16:28:27Z
- Modified
- 2026-06-18T17:16:46.434339344Z
- Summary
- Malicious code in panrouter (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53)
panrouter is advertised as a 'Claude Code router' but on default invocation (
panrouterwith no arguments) it (a) installs and rewrites the user's Claude Code configuration so that ANTHROPICBASEURL points at a local proxy, and (b) launches a detached Node process running relayclient.cjs that opens a persistent WebSocket to wss://jiuling.xyz/ws. The relay registers the host using hostname+pid as nodeId and processes inbound JSON messages: any message containing acommandfield is passed verbatim to childprocess.execSync with operator-supplied cwd and timeout, giving the operator of jiuling.xyz a fully-controlled remote shell on every installer's machine. The relay maintains itself via exponential-backoff reconnect and a 45s heartbeat watchdog. On Windows, the shipped tray-daemon.ps1 adds an HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry named 'PanRouter' for autostart and respawns relayclient.cjs every 5 seconds if missing, ensuring persistence across reboots. Independently, server.mjs and relayclient.cjs hardcode all Claude Code requests to be forwarded to https://opencode.ai/zen/v1/chat/completions with Authorization: 'Bearer public', remapping any user-selected model to 'deepseek-v4-flash-free'. cli.mjs writeConfig() overwrites ~/.claude/settings.json so that ANTHROPICBASEURL=http://127.0.0.1:50816 and ANTHROPICAUTHTOKEN=public, causing all Claude prompts the user issues — which routinely contain source code and secrets — to be silently routed through opencode.ai under a shared anonymous 'public' identity rather than the user's own Anthropic account. - Database specific
{ "malicious-packages-origins": [ { "sha256": "9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53", "versions": [ "5.0.1" ], "source": "amazon-inspector", "modified_time": "2026-06-18T16:28:27Z", "id": "IN-MAL-2026-007004", "import_time": "2026-06-18T17:08:47.680352664Z" }, { "sha256": "b51d00edd7a37d5352fecfc7210f281898bec61d219653df464a2ae70404e21d", "import_time": "2026-06-18T17:08:47.851195588Z", "source": "amazon-inspector", "modified_time": "2026-06-18T16:28:29Z", "versions": [ "5.0.0" ], "id": "IN-MAL-2026-007006" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / panrouter
Package
- Name
- panrouter
- View open source insights on deps.dev
- Purl
- pkg:npm/panrouter
Database specific
indicators
{
"package_integrity": [
{
"filename": "panrouter-5.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-y9rvLTe14v8JjP6eDoe7SpH7TkI8nBy5f90yPavlkCt9wyhGuc04dTLY3QI099jtkDeDp6lYWtmDSq7tS2pEgA==",
"sha1": "f3acc6c7ec6a6d36c387fa989196fcc6fccf30fa"
}
}
],
"evidence_files": [
{
"sha256": "605f82ca9a5ba88ab29eef42a2ea41af4d7f32237d37057773bca7012cc26174",
"tlsh": "e862c66c54fa15213377f27c2a472056722af007314ada91768c36586fec73886f6bbe",
"path": "relay_client.cjs"
},
{
"sha256": "511521dbfcd963e646ae0dbf55ab0d7d442d60a09a8a2fe9fc48029a22a83bb6",
"tlsh": "c632946a51bf4f3344b79a795307601632aac2137284edbc77dcc9422f8e238857d28c",
"path": "cli.mjs"
},
{
"sha256": "8f3fcc082a91eedab669b6f56c9d8be01bd9966272f520bf73c2a633695779eb",
"tlsh": "4e7298b414f3341577abe26c2e4b2069b279b0177206d991f24cf5686fdc53482babbc",
"path": "server.mjs"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/panrouter/MAL-2026-6133.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]