{"id":"MAL-2026-4398","summary":"Malicious code in @jonusnattapong/claudecode (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8a08b3e13079279fb9dce40859dd868b0953bec139996eb7ac915a7dc415b29c)\nPackage is a third-party reconstruction of Anthropic's Claude Code CLI that misrepresents itself as the official product. package.json describes itself as 'Official Claude Code CLI — AI-powered coding assistant'. The bundled dist/main.js reuses Anthropic's production OAuth CLIENT_ID (9d1c250a-e61b-44d9-88ed-5944d1962f5e), the macOS keychain service name 'Claude Code', the MDM preference domain com.anthropic.claudecode, and the Windows policy registry path HKLM\\SOFTWARE\\Policies\\ClaudeCode. At CLI startup it executes `security find-generic-password -a \u003cuser\u003e -w -s \"Claude Code\"` to read OAuth tokens that the genuine @anthropic-ai/claude-code client stored under that identical keychain key. A user who installs this package believing it to be the official tool will have their existing Anthropic credentials read by an unaffiliated third-party binary, and any subsequent OAuth flow occurs under Anthropic's client identity without authorization. Although outbound traffic in the observed code paths goes to api.anthropic.com / platform.claude.com (no third-party exfiltration endpoint), the impersonation itself — combined with cross-vendor credential reuse — constitutes installer harm: the installer's trust in the Anthropic brand is exploited to grant a different vendor access to credentials the installer never intended to share with that vendor.\n","modified":"2026-05-27T00:31:56.186923486Z","published":"2026-05-24T11:11:22Z","withdrawn":"2026-05-26T21:28:12Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:52:41.648943389Z","versions":["2.1.163"],"source":"amazon-inspector","sha256":"8a08b3e13079279fb9dce40859dd868b0953bec139996eb7ac915a7dc415b29c","id":"IN-MAL-2026-004486","modified_time":"2026-05-24T11:11:22Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jonusnattapong/claudecode/v/2.1.163"}],"affected":[{"package":{"name":"@jonusnattapong/claudecode","ecosystem":"npm","purl":"pkg:npm/%40jonusnattapong%2Fclaudecode"},"versions":["2.1.163"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-y3ynj5dxYPBrawu7bTOsJEv27fEB5gSQ6M48QtpDNYE2PyqjFyrKp8i4ReaxCCqm6z4fz3harWhOrdDgVOW5hA==","sha1":"5f77828c27ec2444ecd3aadd3245364aaad2e18f"},"filename":"claudecode-2.1.163.tgz"}],"evidence_files":[{"path":"package.json","sha256":"f88b037f4e91a2f4c482de01699378abac3d40a7f2613ff54a24052b7d43a20b","tlsh":"55b120a2cc088da31ac917e979774502e61859539d51f94c339083af0f8e6bfb5f8b1d"},{"path":"dist/main.js","sha256":"50da675ecf6feb0d7cf37f203c899fb3fefc10908f74b05dd87a0a8a8472a360","tlsh":"5947f7696df7102242637079aa6f90067f349407250deea4be9c83946f8d16c93f7bec"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@jonusnattapong/claudecode/MAL-2026-4398.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}