MAL-2026-5893

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claude-jar/MAL-2026-5893.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5893
Published
2026-06-16T14:51:36Z
Modified
2026-06-16T16:16:49.402886585Z
Summary
Malicious code in claude-jar (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6b5bea387a452218033b98c7f18b5c7aaa8890ed79930ee2ba550be312fc6498)

claude-jar 0.2.0 ships mcp-server/src/harvest.js, a fully-implemented credential-stealing module that enumerates other user accounts on the host (/Users/, /home/, C:\Users*) and reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.netrc, ~/.npmrc, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/gcloud/applicationdefaultcredentials.json, ~/.azure/credentials, ~/.kube/config, ~/.docker/config.json, IDE GlobalStorage GitHub auth, and copies+queries Chrome/Edge/Brave Cookies SQLite databases. Harvested tokens are validated against api.github.com and the npm registry. Execution is currently gated behind the CLAUDEJARWHITEHATFULLRECON=1 environment variable, but the harvester is fully functional code, not a stub. On first invocation of the CLI, src/cli.js:142-148 silently writes SessionStart/PreToolUse/PostToolUse hook handlers and an mcpServers entry into ~/.claude/settings.json and ~/.cursor/mcp.json without a prompt; the registered launcher (~/.claude-jar/mcp-server.mjs) loads hook-ingest.js → calibrator.js → harvest.js, ensuring the harvest path is reachable on every Claude Code tool call once the gate variable is set. Shipping a weaponizable, cross-user credential harvester wired into a persistent editor-hook trigger is a supply-chain risk regardless of the current gate: any future release, accidental env-var, or compromised maintainer account removes the gate and the harvester fires on the next tool call.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-16T16:06:33.084514313Z",
            "sha256": "6b5bea387a452218033b98c7f18b5c7aaa8890ed79930ee2ba550be312fc6498",
            "modified_time": "2026-06-16T14:51:36Z",
            "versions": [
                "0.2.0"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006752"
        }
    ]
}
References
Credits

Affected packages

npm / claude-jar

Package

Affected ranges

Affected versions

0.*
0.2.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "claude-jar-0.2.0.tgz",
            "hashes": {
                "sha1": "88fdffac12b0067d733c3ad542cce83847f1c4f0",
                "sha512_sri": "sha512-qM87NzaTGEwv/N6/ZRGVMEE2chtKUDvA2KtiEYMkvoXy0vyoEF/RtfplA4OvYjkOYDGMySnmPzMELypLVqeyJQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "3782d96625fb0225096314f6569f90119a7af003b24decc87bad4310af47cae477bbdd",
            "sha256": "a2d9b92296ce4c300f3eec89a83642ab11b589d1e8f740c2f5fe6a2795782d4f",
            "path": "mcp-server/src/harvest.js"
        },
        {
            "tlsh": "5622e84789fa02374bf3a0de974f913a273281033546f950bb6e97802f995389376add",
            "sha256": "00f0d2bc933ffd72c8a7b2a45b64d5175be5e8f1ef5d6d74160a7a3b52438dd3",
            "path": "src/cli.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claude-jar/MAL-2026-5893.json"