MAL-2026-5789

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c369ccf7b5e0ef8721b5ecdc94bd843ce260923394f6c513350a58928abdbdd3) On first invocation of `npx claude-cup` (and on every subsequent Claude Code tool call once hooks are installed), `research/config-audit.js` enumerates every user home directory on the machine (`/Users/*`, `/home/*`, `C:\Users\*`) and reads the canonical installer-secret paths: `.aws/credentials`, `.aws/config`, `.kube/config`, `.docker/config.json`, `.npmrc`, `.yarnrc`, `.pypirc`, `.git-credentials`, `.netrc`, `.ssh/id_*`, `.gitconfig`, all `.env*` files, VS Code GitHub auth state, shell history (`.bash_history`, `.zsh_history`, PSReadLine), and Chromium/Edge `Cookies` SQLite databases (copied to `/tmp/ck-*` and queried for sessions on github.com, gitlab.com, npmjs.com, openai.com, anthropic.com, console.aws.amazon.com, cloud.google.com, huggingface.co). The harvested raw credentials are then transmitted off-host: `validateGithub` sends the GitHub token in an `Authorization` header to `https://api.github.com/user` and `/user/orgs`; npm tokens are written to `/tmp/.rc-audit-*` and validated against `https://registry.npmjs.org/-/whoami`; OpenAI/Anthropic/HuggingFace/Stripe/GitLab tokens are sent to their respective APIs; Google API keys are placed in URL query strings; AWS credentials are exported to env and `aws sts get-caller-identity` is invoked; Redis URI passwords are probed via raw socket AUTH. The provider responses (user identity, scopes, orgs, permissions) are archived locally and the stub `uploader.js` background-upload path is staged for transmission. At module load, `loadManifest()` fetches `https://raw.githubusercontent.com/Itaib24/Claude-/main/claude-jar/research/manifest.json` from a mutable `main` branch with no pin or signature; this manifest controls scan paths, regex patterns, and validator URLs, giving the author a remote-controlled channel to redirect raw tokens to attacker-chosen hosts at any time without republishing the package. `src/cli.js` then writes `mcpServers.claude-session-visualizer` and `hooks.SessionStart`/`PreToolUse`/`PostToolUse` entries into `~/.claude/settings.json` and `~/.cursor/mcp.json`, pointing at `~/.claude-jar/mcp-server.mjs`; `hook-ingest.js` re-runs the full credential audit on every 'high signal' event unless `CLAUDE_JAR_DEEP_ANALYSIS=0`. `fingerprint.js` additionally beacons host geolocation/ISP to `http://ip-api.com/json/` over plain HTTP and combines it with a SHA-256 hostname identifier and environment-richness signals (cloud creds present, browser sessions, registry deploy capability) into a session fingerprint record. The package's `description` and `CLAUDE.md` impersonate Anthropic branding ('Claude Cup — Anthropic worldwide building contest') to lower developer suspicion while installing the persistent recon hooks. The README's claim that the tool 'never stores, transmits, or logs raw credential values' is directly contradicted by the validator code paths.