mal-2026-6133
Vulnerability from ossf_malicious_packages
Published
2026-06-18 16:28
Modified
2026-06-18 17:10
Summary
Malicious code in panrouter (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53)

panrouter is advertised as a 'Claude Code router' but on default invocation (panrouter with no arguments) it (a) installs and rewrites the user's Claude Code configuration so that ANTHROPIC_BASE_URL points at a local proxy, and (b) launches a detached Node process running relay_client.cjs that opens a persistent WebSocket to wss://jiuling.xyz/ws. The relay registers the host using hostname+pid as nodeId and processes inbound JSON messages: any message containing a command field is passed verbatim to child_process.execSync with operator-supplied cwd and timeout, giving the operator of jiuling.xyz a fully-controlled remote shell on every installer's machine. The relay maintains itself via exponential-backoff reconnect and a 45s heartbeat watchdog. On Windows, the shipped tray-daemon.ps1 adds an HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry named 'PanRouter' for autostart and respawns relay_client.cjs every 5 seconds if missing, ensuring persistence across reboots. Independently, server.mjs and relay_client.cjs hardcode all Claude Code requests to be forwarded to https://opencode.ai/zen/v1/chat/completions with Authorization: 'Bearer public', remapping any user-selected model to 'deepseek-v4-flash-free'. cli.mjs writeConfig() overwrites ~/.claude/settings.json so that ANTHROPIC_BASE_URL=http://127.0.0.1:50816 and ANTHROPIC_AUTH_TOKEN=public, causing all Claude prompts the user issues — which routinely contain source code and secrets — to be silently routed through opencode.ai under a shared anonymous 'public' identity rather than the user's own Anthropic account.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "relay_client.cjs",
              "sha256": "605f82ca9a5ba88ab29eef42a2ea41af4d7f32237d37057773bca7012cc26174",
              "tlsh": "e862c66c54fa15213377f27c2a472056722af007314ada91768c36586fec73886f6bbe"
            },
            {
              "path": "cli.mjs",
              "sha256": "511521dbfcd963e646ae0dbf55ab0d7d442d60a09a8a2fe9fc48029a22a83bb6",
              "tlsh": "c632946a51bf4f3344b79a795307601632aac2137284edbc77dcc9422f8e238857d28c"
            },
            {
              "path": "server.mjs",
              "sha256": "8f3fcc082a91eedab669b6f56c9d8be01bd9966272f520bf73c2a633695779eb",
              "tlsh": "4e7298b414f3341577abe26c2e4b2069b279b0177206d991f24cf5686fdc53482babbc"
            }
          ],
          "package_integrity": [
            {
              "filename": "panrouter-5.0.1.tgz",
              "hashes": {
                "sha1": "f3acc6c7ec6a6d36c387fa989196fcc6fccf30fa",
                "sha512_sri": "sha512-y9rvLTe14v8JjP6eDoe7SpH7TkI8nBy5f90yPavlkCt9wyhGuc04dTLY3QI099jtkDeDp6lYWtmDSq7tS2pEgA=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "panrouter"
      },
      "versions": [
        "5.0.1",
        "5.0.0"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007004",
        "import_time": "2026-06-18T17:08:47.680352664Z",
        "modified_time": "2026-06-18T16:28:27Z",
        "sha256": "9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53",
        "source": "amazon-inspector",
        "versions": [
          "5.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-007006",
        "import_time": "2026-06-18T17:08:47.851195588Z",
        "modified_time": "2026-06-18T16:28:29Z",
        "sha256": "b51d00edd7a37d5352fecfc7210f281898bec61d219653df464a2ae70404e21d",
        "source": "amazon-inspector",
        "versions": [
          "5.0.0"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53)\npanrouter is advertised as a \u0027Claude Code router\u0027 but on default invocation (`panrouter` with no arguments) it (a) installs and rewrites the user\u0027s Claude Code configuration so that ANTHROPIC_BASE_URL points at a local proxy, and (b) launches a detached Node process running relay_client.cjs that opens a persistent WebSocket to wss://jiuling.xyz/ws. The relay registers the host using hostname+pid as nodeId and processes inbound JSON messages: any message containing a `command` field is passed verbatim to child_process.execSync with operator-supplied cwd and timeout, giving the operator of jiuling.xyz a fully-controlled remote shell on every installer\u0027s machine. The relay maintains itself via exponential-backoff reconnect and a 45s heartbeat watchdog. On Windows, the shipped tray-daemon.ps1 adds an HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run entry named \u0027PanRouter\u0027 for autostart and respawns relay_client.cjs every 5 seconds if missing, ensuring persistence across reboots. Independently, server.mjs and relay_client.cjs hardcode all Claude Code requests to be forwarded to https://opencode.ai/zen/v1/chat/completions with Authorization: \u0027Bearer public\u0027, remapping any user-selected model to \u0027deepseek-v4-flash-free\u0027. cli.mjs writeConfig() overwrites ~/.claude/settings.json so that ANTHROPIC_BASE_URL=http://127.0.0.1:50816 and ANTHROPIC_AUTH_TOKEN=public, causing all Claude prompts the user issues \u2014 which routinely contain source code and secrets \u2014 to be silently routed through opencode.ai under a shared anonymous \u0027public\u0027 identity rather than the user\u0027s own Anthropic account.\n",
  "id": "MAL-2026-6133",
  "modified": "2026-06-18T17:10:57Z",
  "published": "2026-06-18T16:28:27Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/panrouter/v/5.0.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/panrouter/v/5.0.0"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in panrouter (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.