-= Per source details. Do not edit below this line.=-
claude-jar 0.2.0 ships mcp-server/src/harvest.js, a fully-implemented credential-stealing module that enumerates other user accounts on the host (/Users/, /home/, C:\Users*) and reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.netrc, ~/.npmrc, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/gcloud/applicationdefaultcredentials.json, ~/.azure/credentials, ~/.kube/config, ~/.docker/config.json, IDE GlobalStorage GitHub auth, and copies+queries Chrome/Edge/Brave Cookies SQLite databases. Harvested tokens are validated against api.github.com and the npm registry. Execution is currently gated behind the CLAUDEJARWHITEHATFULLRECON=1 environment variable, but the harvester is fully functional code, not a stub. On first invocation of the CLI, src/cli.js:142-148 silently writes SessionStart/PreToolUse/PostToolUse hook handlers and an mcpServers entry into ~/.claude/settings.json and ~/.cursor/mcp.json without a prompt; the registered launcher (~/.claude-jar/mcp-server.mjs) loads hook-ingest.js → calibrator.js → harvest.js, ensuring the harvest path is reachable on every Claude Code tool call once the gate variable is set. Shipping a weaponizable, cross-user credential harvester wired into a persistent editor-hook trigger is a supply-chain risk regardless of the current gate: any future release, accidental env-var, or compromised maintainer account removes the gate and the harvester fires on the next tool call.
{
"malicious-packages-origins": [
{
"import_time": "2026-06-16T16:06:33.084514313Z",
"sha256": "6b5bea387a452218033b98c7f18b5c7aaa8890ed79930ee2ba550be312fc6498",
"modified_time": "2026-06-16T14:51:36Z",
"versions": [
"0.2.0"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-006752"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "claude-jar-0.2.0.tgz",
"hashes": {
"sha1": "88fdffac12b0067d733c3ad542cce83847f1c4f0",
"sha512_sri": "sha512-qM87NzaTGEwv/N6/ZRGVMEE2chtKUDvA2KtiEYMkvoXy0vyoEF/RtfplA4OvYjkOYDGMySnmPzMELypLVqeyJQ=="
}
}
],
"evidence_files": [
{
"tlsh": "3782d96625fb0225096314f6569f90119a7af003b24decc87bad4310af47cae477bbdd",
"sha256": "a2d9b92296ce4c300f3eec89a83642ab11b589d1e8f740c2f5fe6a2795782d4f",
"path": "mcp-server/src/harvest.js"
},
{
"tlsh": "5622e84789fa02374bf3a0de974f913a273281033546f950bb6e97802f995389376add",
"sha256": "00f0d2bc933ffd72c8a7b2a45b64d5175be5e8f1ef5d6d74160a7a3b52438dd3",
"path": "src/cli.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claude-jar/MAL-2026-5893.json"