{"id":"MAL-2026-4371","summary":"Malicious code in @bonsai-ai/claude-code-win32-x64 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d6591be3fe5d0b37196562035353367d96a2bb1390d8f0f4dae3c5abbfd927f6)\nPackage is published under the `@bonsai-ai` scope but impersonates Anthropic's official `@anthropic-ai/claude-code-win32-x64` platform package. `package.json` declares `\"name\": \"@bonsai-ai/claude-code-win32-x64\"` with description `\"Native binary for Claude Code on win32-x64\"`; `LICENSE.md` reads `© Anthropic PBC`; and the README itself directs users to the legitimate `@anthropic-ai/claude-code` package. The tarball's `files` array publishes only `claude.exe` (228,410,016 bytes, sha256 a8610bedd1a60f4d5288e5a8ceab3abc5d12a37cc5ad3e12d6ed29da1f946bfc), `README.md`, and `LICENSE.md` — no source, no build script, no checksum file, no signature reference, and no relationship between the `@bonsai-ai` publisher and Anthropic. A developer who installs this and runs the resulting `claude` CLI executes 228 MB of opaque attacker-controlled bytes with full user privileges. The combination of Anthropic-brand impersonation, unauthorized publisher, and a single unverifiable native executable as the entire payload is a supply-chain attack regardless of whether the binary happens to be bit-identical to Anthropic's release — the publisher has no authority to redistribute it and consumers have no way to verify what they are running.\n","modified":"2026-05-27T00:31:53.158669723Z","published":"2026-05-19T17:50:05Z","withdrawn":"2026-05-26T20:55:39Z","database_specific":{"malicious-packages-origins":[{"versions":["2.1.141"],"sha256":"d6591be3fe5d0b37196562035353367d96a2bb1390d8f0f4dae3c5abbfd927f6","id":"IN-MAL-2026-003217","import_time":"2026-05-26T05:50:13.892131586Z","source":"amazon-inspector","modified_time":"2026-05-19T17:50:05Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@bonsai-ai/claude-code-win32-x64/v/2.1.141"}],"affected":[{"package":{"name":"@bonsai-ai/claude-code-win32-x64","ecosystem":"npm","purl":"pkg:npm/%40bonsai-ai%2Fclaude-code-win32-x64"},"versions":["2.1.141"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@bonsai-ai/claude-code-win32-x64/MAL-2026-4371.json","indicators":{"evidence_files":[{"sha256":"ef2ef975208fbcc64213a808efa2f106723a6cf8b624d9d1f7deea08ebc3d249","tlsh":"c4e0c210d21089a286ec7de0095b36ce62002e53815a7e123b2b8b8c0f6c9a7cabd17d","path":"package.json"},{"sha256":"a8610bedd1a60f4d5288e5a8ceab3abc5d12a37cc5ad3e12d6ed29da1f946bfc","tlsh":"b2b80633b791a526d06a81314dae92f16bb3fc010f2556873254f72d3df27806ae7b1a","path":"claude.exe"}],"package_integrity":[{"hashes":{"sha1":"dfa9f7b814cd7e1f2a9dffa4ac07508314b6f702","sha512_sri":"sha512-rPnJYwhFWWiPq80utBFkMLZYR3WYFtqTfqMrhcQpZ+9yE9wMa0Ns6mohxunwQAC91KylmV6TjIpCCyJKZbetIA=="},"filename":"claude-code-win32-x64-2.1.141.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}