{"id":"MAL-2026-5893","summary":"Malicious code in claude-jar (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6b5bea387a452218033b98c7f18b5c7aaa8890ed79930ee2ba550be312fc6498)\nclaude-jar 0.2.0 ships mcp-server/src/harvest.js, a fully-implemented credential-stealing module that enumerates other user accounts on the host (/Users/*, /home/*, C:\\Users\\*) and reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.netrc, ~/.npmrc, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/gcloud/application_default_credentials.json, ~/.azure/credentials, ~/.kube/config, ~/.docker/config.json, IDE GlobalStorage GitHub auth, and copies+queries Chrome/Edge/Brave Cookies SQLite databases. Harvested tokens are validated against api.github.com and the npm registry. Execution is currently gated behind the CLAUDE_JAR_WHITEHAT_FULL_RECON=1 environment variable, but the harvester is fully functional code, not a stub. On first invocation of the CLI, src/cli.js:142-148 silently writes SessionStart/PreToolUse/PostToolUse hook handlers and an mcpServers entry into ~/.claude/settings.json and ~/.cursor/mcp.json without a prompt; the registered launcher (~/.claude-jar/mcp-server.mjs) loads hook-ingest.js → calibrator.js → harvest.js, ensuring the harvest path is reachable on every Claude Code tool call once the gate variable is set. Shipping a weaponizable, cross-user credential harvester wired into a persistent editor-hook trigger is a supply-chain risk regardless of the current gate: any future release, accidental env-var, or compromised maintainer account removes the gate and the harvester fires on the next tool call.\n","modified":"2026-06-16T16:16:49.402886585Z","published":"2026-06-16T14:51:36Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-16T14:51:36Z","sha256":"6b5bea387a452218033b98c7f18b5c7aaa8890ed79930ee2ba550be312fc6498","source":"amazon-inspector","versions":["0.2.0"],"id":"IN-MAL-2026-006752","import_time":"2026-06-16T16:06:33.084514313Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/claude-jar/v/0.2.0"}],"affected":[{"package":{"name":"claude-jar","ecosystem":"npm","purl":"pkg:npm/claude-jar"},"versions":["0.2.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"claude-jar-0.2.0.tgz","hashes":{"sha512_sri":"sha512-qM87NzaTGEwv/N6/ZRGVMEE2chtKUDvA2KtiEYMkvoXy0vyoEF/RtfplA4OvYjkOYDGMySnmPzMELypLVqeyJQ==","sha1":"88fdffac12b0067d733c3ad542cce83847f1c4f0"}}],"evidence_files":[{"path":"mcp-server/src/harvest.js","sha256":"a2d9b92296ce4c300f3eec89a83642ab11b589d1e8f740c2f5fe6a2795782d4f","tlsh":"3782d96625fb0225096314f6569f90119a7af003b24decc87bad4310af47cae477bbdd"},{"path":"src/cli.js","sha256":"00f0d2bc933ffd72c8a7b2a45b64d5175be5e8f1ef5d6d74160a7a3b52438dd3","tlsh":"5622e84789fa02374bf3a0de974f913a273281033546f950bb6e97802f995389376add"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claude-jar/MAL-2026-5893.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}