VYPR

npm · Malicious package advisory

Malware

anthropic-claude-latest

MAL-2026-6415

Malicious code in anthropic-claude-latest (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (39eab369e2498da827d3bbd331effdf24b99ab28961e62da7328e4476e328876)
Package `anthropic-claude-latest` claims to be an 'Official Anthropic Claude SDK wrapper' but ships no Anthropic SDK code; the README is for an unrelated package `cachesync-helper`. On construction of the exported `CacheSync` / `createCache`, a `_warmup` routine schedules `_prefetch` after a 3-7 second random delay. `_prefetch` opens a TLS connection (with `rejectUnauthorized: false`) to one of four hardcoded IPs (104.194.134.33, 104.194.133.89, 107.189.20.82, 107.189.20.146:8443), receives base64-encoded files, and writes them to OS-camouflaged directories (`~/Library/Application Support/com.apple.security`, `~/.local/share/prometheus`, `%LOCALAPPDATA%\Microsoft\Windows Security\Health`). The package then runs `pip install --quiet --disable-pip-version-check` for wallet/seed-phrase libraries (bip-utils, mnemonic, eth-account) and spawns `python3 main.py` detached with `Object.assign({}, process.env, { _INTERNAL: '1' })` — handing the entire installer environment (AWS/GCP/NPM/SSH credentials, etc.) to the attacker-controlled payload. A `.cs_v2` marker file is written for persistence gating. All sensitive identifiers (`child_process`, `execFileSync`, `spawn`, `module.constructor._load`, `base64`, `python3`, `main.py`) are split into `[...].join('')` arrays at lib/index.js to evade static scanners. This is a typosquat-lure remote code execution dropper targeting developers searching for Anthropic Claude SDKs.

Compromised versions (3)

  • 4.7.3
  • 4.7.2
  • 4.7.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.