MAL-2026-4371

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@bonsai-ai/claude-code-win32-x64/MAL-2026-4371.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4371

Withdrawn

2026-05-26T20:55:39Z

Published

2026-05-19T17:50:05Z

Modified

2026-05-27T00:31:53.158669723Z

Summary

Malicious code in @bonsai-ai/claude-code-win32-x64 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d6591be3fe5d0b37196562035353367d96a2bb1390d8f0f4dae3c5abbfd927f6)

Package is published under the @bonsai-ai scope but impersonates Anthropic's official @anthropic-ai/claude-code-win32-x64 platform package. package.json declares "name": "@bonsai-ai/claude-code-win32-x64" with description "Native binary for Claude Code on win32-x64"; LICENSE.md reads © Anthropic PBC; and the README itself directs users to the legitimate @anthropic-ai/claude-code package. The tarball's files array publishes only claude.exe (228,410,016 bytes, sha256 a8610bedd1a60f4d5288e5a8ceab3abc5d12a37cc5ad3e12d6ed29da1f946bfc), README.md, and LICENSE.md — no source, no build script, no checksum file, no signature reference, and no relationship between the @bonsai-ai publisher and Anthropic. A developer who installs this and runs the resulting claude CLI executes 228 MB of opaque attacker-controlled bytes with full user privileges. The combination of Anthropic-brand impersonation, unauthorized publisher, and a single unverifiable native executable as the entire payload is a supply-chain attack regardless of whether the binary happens to be bit-identical to Anthropic's release — the publisher has no authority to redistribute it and consumers have no way to verify what they are running.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003217",
            "import_time": "2026-05-26T05:50:13.892131586Z",
            "sha256": "d6591be3fe5d0b37196562035353367d96a2bb1390d8f0f4dae3c5abbfd927f6",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T17:50:05Z",
            "versions": [
                "2.1.141"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@bonsai-ai/claude-code-win32-x64/v/2.1.141

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @bonsai-ai/claude-code-win32-x64

Package

Name: @bonsai-ai/claude-code-win32-x64; View open source insights on deps.dev
Purl: pkg:npm/%40bonsai-ai%2Fclaude-code-win32-x64

Affected ranges

Affected versions

2.*

2.1.141

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "ef2ef975208fbcc64213a808efa2f106723a6cf8b624d9d1f7deea08ebc3d249",
            "tlsh": "c4e0c210d21089a286ec7de0095b36ce62002e53815a7e123b2b8b8c0f6c9a7cabd17d"
        },
        {
            "path": "claude.exe",
            "sha256": "a8610bedd1a60f4d5288e5a8ceab3abc5d12a37cc5ad3e12d6ed29da1f946bfc",
            "tlsh": "b2b80633b791a526d06a81314dae92f16bb3fc010f2556873254f72d3df27806ae7b1a"
        }
    ],
    "package_integrity": [
        {
            "filename": "claude-code-win32-x64-2.1.141.tgz",
            "hashes": {
                "sha512_sri": "sha512-rPnJYwhFWWiPq80utBFkMLZYR3WYFtqTfqMrhcQpZ+9yE9wMa0Ns6mohxunwQAC91KylmV6TjIpCCyJKZbetIA==",
                "sha1": "dfa9f7b814cd7e1f2a9dffa4ac07508314b6f702"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@bonsai-ai/claude-code-win32-x64/MAL-2026-4371.json"