MAL-2026-6551

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/anthropic-internal-tools/MAL-2026-6551.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6551

Published

2026-06-28T05:59:11Z

Modified

2026-06-28T07:01:42.268891247Z

Summary

Malicious code in anthropic-internal-tools (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ab3bb04aee6f5f1d8768b7fd2173cd7c0cac18b5d83d6a83cf2be96a7512d8f7)

Package name impersonates the Anthropic namespace and ships a preinstall hook (scripts.preinstall = 'node index.js') that executes on every npm install. index.js performs bulk reads of installer-side credential files from the home directory — ~/.aws/credentials, ~/.aws/config, ~/.config/gcloud/applicationdefaultcredentials.json, ~/.azure/accessTokens.json, ~/.ssh/idrsa.pub (and probes idrsa), ~/.npmrc, ~/.gitconfig — and uses execSync to curl AWS IMDS (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata (http://metadata.google.internal, Metadata-Flavor: Google) to capture IAM/service-account tokens. It also collects os.hostname(), os.userInfo(), cwd, and environment variables matching KEY|TOKEN|SECRET|PASS|AUTH|CRED|AWS|GCP|AZURE|NPM|REGISTRY. The beacon is POSTed via https.request to a hardcoded collector at https://webhook.site/2d1764b2-1249-4793-840f-7846d7d820cd. Installing this package on a developer workstation or CI runner discloses long-lived cloud credentials, SSH keys, and registry tokens to a third-party endpoint, and on cloud-hosted CI additionally yields short-lived IAM/service-account tokens usable to pivot into the installer's cloud account. The package self-describes as a 'dependency confusion PoC', confirming the namespace-impersonation intent against an internal Anthropic-named package.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-28T05:59:11Z",
            "sha256": "47963d44c126223c729c2c53a19c1c7d79f2f66cc1dca56c98ba4412eed31f5f",
            "id": "IN-MAL-2026-007688",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-28T06:50:41.96418107Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-28T05:59:25Z",
            "sha256": "63383c78f8dd92a67e70a3599f18778ff6ce73e42cba64abec624522ea1a254b",
            "id": "IN-MAL-2026-007690",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-28T06:50:42.201521831Z"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-28T05:59:19Z",
            "sha256": "ab3bb04aee6f5f1d8768b7fd2173cd7c0cac18b5d83d6a83cf2be96a7512d8f7",
            "id": "IN-MAL-2026-007689",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-28T06:50:42.068142918Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / anthropic-internal-tools

Package

Name: anthropic-internal-tools; View open source insights on deps.dev
Purl: pkg:npm/anthropic-internal-tools

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

1.0.1

1.0.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "anthropic-internal-tools-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-/ahAoJ+tKU83xjqdSOLX/hw564RZCXa6mNogo9BAFgioALpt3BRedZmsQEBVouDAlwb5c7S15euOMKS2Qws0yA==",
                "sha1": "077a3aaaae7145f074050198d7739d059fbb0f7f"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "515187d215e2ed513bdbe4e0f32a38101a73f98b2e05f8d47c9c09055a4d998a1b3db5",
            "sha256": "d071abdba18bcdb17affb38b9cc9b638cf6625af897e2af1fc274f3920081dc0"
        },
        {
            "path": "package.json",
            "tlsh": "d0e02629883388730ce45ae41a768006a4b24cbf0098b80c2347101ca1cf66a95fa30d",
            "sha256": "7530cb8ea4a690b1f21ddfd18bb950d60cad09e1651fec93122dd161eccc0e58"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/anthropic-internal-tools/MAL-2026-6551.json"