MAL-2026-5716
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/beamz/MAL-2026-5716.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5716
- Published
- 2026-06-12T20:54:24Z
- Modified
- 2026-06-13T04:01:40.005250971Z
- Summary
- Malicious code in beamz (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c380f1f0fc3c5cf723cd7d92bf41c30f622aafaa633a32f0a78bf91a3a769d2a)
The package advertises itself as a credential-transfer CLI but implements transfer by reading the user's Anthropic Claude Code credentials (
~/.claude/.credentials.json,~/.claude.json) and POSTing them to a single hardcoded author-owned endpoint,https://tfer.jha-anurag2017.workers.dev, with no end-to-end encryption. The same request body includes a precise host fingerprint built incmdPush(index.js:88-108):os.hostname(), OS username, local IPv4/IPv6, MAC address, public IP, country/city/ISP/timezone (resolved via ipapi.co), CPU model and core count, and total RAM — far more than is necessary to move credentials between a user's own machines. The Worker URL is set in index.js:9 (const WORKER_URL = process.env.BEAMZ_URL || "https://tfer.jha-anurag2017.workers.dev") and the credential read+POST sits incmdPush(index.js:62-65, 121). The package ships an empty README, so installers have no disclosure that third-party Anthropic credentials and machine identifiers are passing through author infrastructure. The harm fires when the user runs the CLI (beamz push, also the default action), so the trigger is on user invocation rather than at install time, but the destination is hardcoded, author-controlled, and not the user's own server — the silent-relay shape: callers believe they are using a credential-sync tool, and the tool quietly delivers their secrets and a machine fingerprint to the author. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006236", "versions": [ "1.0.11" ], "sha256": "5eec1a91fae89b4be335ed7107fc80d2322b47f2f72fad5384e3ac7ef7ff0ac2", "source": "amazon-inspector", "modified_time": "2026-06-12T20:54:29Z", "import_time": "2026-06-12T21:38:18.869861656Z" }, { "id": "IN-MAL-2026-006237", "import_time": "2026-06-12T21:38:18.929483072Z", "sha256": "8699c015e579a9559baf3a44fe13fdfea09b510ecd917eeaf16de4d07aca7b62", "source": "amazon-inspector", "modified_time": "2026-06-12T20:54:31Z", "versions": [ "1.0.8" ] }, { "id": "IN-MAL-2026-006235", "versions": [ "1.0.12" ], "sha256": "b59bc77b2d21ab00b02e9fe3571a5007192519dea5da5ad4f9260bd30452029b", "source": "amazon-inspector", "modified_time": "2026-06-12T20:54:24Z", "import_time": "2026-06-12T21:38:18.79760643Z" }, { "id": "IN-MAL-2026-006282", "import_time": "2026-06-13T03:48:11.160914544Z", "sha256": "0e280dc81a9f4196b488b4ba60b3941c528fd3419ae1c0ded5b13ab5e156160c", "source": "amazon-inspector", "modified_time": "2026-06-13T03:09:42Z", "versions": [ "1.0.13" ] }, { "id": "IN-MAL-2026-006283", "import_time": "2026-06-13T03:48:11.238441013Z", "sha256": "135eaa49ba7abf5028bc1ed60d86d01f1a858455df9a45d19559a9d7288de4fc", "source": "amazon-inspector", "modified_time": "2026-06-13T03:09:44Z", "versions": [ "1.0.5" ] }, { "id": "IN-MAL-2026-006284", "versions": [ "1.0.5" ], "sha256": "639bb801e93bec95c0a7e854f632eb45325c50b6b50e1036192e1f46f48df780", "source": "amazon-inspector", "modified_time": "2026-06-13T03:09:45Z", "import_time": "2026-06-13T03:48:11.290075244Z" }, { "id": "IN-MAL-2026-006286", "import_time": "2026-06-13T03:48:11.370707067Z", "sha256": "94842505316060fddb1695096a570c9a0aaa0ad51b87f94350b1fe6f6f05b739", "source": "amazon-inspector", "modified_time": "2026-06-13T03:09:46Z", "versions": [ "1.0.14" ] }, { "id": "IN-MAL-2026-006285", "versions": [ "1.0.14" ], "sha256": "c380f1f0fc3c5cf723cd7d92bf41c30f622aafaa633a32f0a78bf91a3a769d2a", "source": "amazon-inspector", "modified_time": "2026-06-13T03:09:45Z", "import_time": "2026-06-13T03:48:11.332535501Z" }, { "id": "IN-MAL-2026-006281", "import_time": "2026-06-13T03:48:11.11350969Z", "sha256": "eff2a3430b812762b7fcf6010dc12b00f5ed6979ebe993d2939f71adee9cffe7", "source": "amazon-inspector", "modified_time": "2026-06-13T03:09:41Z", "versions": [ "1.0.13" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / beamz
Package
- Name
- beamz
- View open source insights on deps.dev
- Purl
- pkg:npm/beamz
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "165be33590fe736a069c479d9609228d285de860e4857e23d95d3080e8e9e701",
"tlsh": "9112c57742fa65243ab7d06ea94340173659b6133b45d894b2acb2843fce4acc063bfd"
}
],
"package_integrity": [
{
"filename": "beamz-1.0.11.tgz",
"hashes": {
"sha512_sri": "sha512-5J20jQgpCE5sqPjR2CWwSj//WQ7PM4ogKYDRBTKeXndfXSMT8/MLJL3bBSWjvl6ZKVqkCPVi2GON8ZdLL8V6bg==",
"sha1": "8068457ed66c78a4966cc430bb5b38bb4521a59b"
}
}
],
"ips": [
"10.1.0.2"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/beamz/MAL-2026-5716.json"