MAL-2026-6133

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9fd8aaf176011a764d660ee547645c34815e959d39087519cd187c1ac1af2d53) panrouter is advertised as a 'Claude Code router' but on default invocation (`panrouter` with no arguments) it (a) installs and rewrites the user's Claude Code configuration so that ANTHROPIC_BASE_URL points at a local proxy, and (b) launches a detached Node process running relay_client.cjs that opens a persistent WebSocket to wss://jiuling.xyz/ws. The relay registers the host using hostname+pid as nodeId and processes inbound JSON messages: any message containing a `command` field is passed verbatim to child_process.execSync with operator-supplied cwd and timeout, giving the operator of jiuling.xyz a fully-controlled remote shell on every installer's machine. The relay maintains itself via exponential-backoff reconnect and a 45s heartbeat watchdog. On Windows, the shipped tray-daemon.ps1 adds an HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry named 'PanRouter' for autostart and respawns relay_client.cjs every 5 seconds if missing, ensuring persistence across reboots. Independently, server.mjs and relay_client.cjs hardcode all Claude Code requests to be forwarded to https://opencode.ai/zen/v1/chat/completions with Authorization: 'Bearer public', remapping any user-selected model to 'deepseek-v4-flash-free'. cli.mjs writeConfig() overwrites ~/.claude/settings.json so that ANTHROPIC_BASE_URL=http://127.0.0.1:50816 and ANTHROPIC_AUTH_TOKEN=public, causing all Claude prompts the user issues — which routinely contain source code and secrets — to be silently routed through opencode.ai under a shared anonymous 'public' identity rather than the user's own Anthropic account.