MAL-2026-4398

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@jonusnattapong/claudecode/MAL-2026-4398.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4398

Withdrawn

2026-05-26T21:28:12Z

Published

2026-05-24T11:11:22Z

Modified

2026-05-27T00:31:56.186923486Z

Summary

Malicious code in @jonusnattapong/claudecode (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8a08b3e13079279fb9dce40859dd868b0953bec139996eb7ac915a7dc415b29c)

Package is a third-party reconstruction of Anthropic's Claude Code CLI that misrepresents itself as the official product. package.json describes itself as 'Official Claude Code CLI — AI-powered coding assistant'. The bundled dist/main.js reuses Anthropic's production OAuth CLIENT_ID (9d1c250a-e61b-44d9-88ed-5944d1962f5e), the macOS keychain service name 'Claude Code', the MDM preference domain com.anthropic.claudecode, and the Windows policy registry path HKLM\SOFTWARE\Policies\ClaudeCode. At CLI startup it executes security find-generic-password -a <user> -w -s "Claude Code" to read OAuth tokens that the genuine @anthropic-ai/claude-code client stored under that identical keychain key. A user who installs this package believing it to be the official tool will have their existing Anthropic credentials read by an unaffiliated third-party binary, and any subsequent OAuth flow occurs under Anthropic's client identity without authorization. Although outbound traffic in the observed code paths goes to api.anthropic.com / platform.claude.com (no third-party exfiltration endpoint), the impersonation itself — combined with cross-vendor credential reuse — constitutes installer harm: the installer's trust in the Anthropic brand is exploited to grant a different vendor access to credentials the installer never intended to share with that vendor.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004486",
            "import_time": "2026-05-26T05:52:41.648943389Z",
            "sha256": "8a08b3e13079279fb9dce40859dd868b0953bec139996eb7ac915a7dc415b29c",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T11:11:22Z",
            "versions": [
                "2.1.163"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@jonusnattapong/claudecode/v/2.1.163

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @jonusnattapong/claudecode

Package

Name: @jonusnattapong/claudecode; View open source insights on deps.dev
Purl: pkg:npm/%40jonusnattapong%2Fclaudecode

Affected ranges

Affected versions

2.*

2.1.163

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "f88b037f4e91a2f4c482de01699378abac3d40a7f2613ff54a24052b7d43a20b",
            "tlsh": "55b120a2cc088da31ac917e979774502e61859539d51f94c339083af0f8e6bfb5f8b1d"
        },
        {
            "path": "dist/main.js",
            "sha256": "50da675ecf6feb0d7cf37f203c899fb3fefc10908f74b05dd87a0a8a8472a360",
            "tlsh": "5947f7696df7102242637079aa6f90067f349407250deea4be9c83946f8d16c93f7bec"
        }
    ],
    "package_integrity": [
        {
            "filename": "claudecode-2.1.163.tgz",
            "hashes": {
                "sha512_sri": "sha512-y3ynj5dxYPBrawu7bTOsJEv27fEB5gSQ6M48QtpDNYE2PyqjFyrKp8i4ReaxCCqm6z4fz3harWhOrdDgVOW5hA==",
                "sha1": "5f77828c27ec2444ecd3aadd3245364aaad2e18f"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@jonusnattapong/claudecode/MAL-2026-4398.json"