MAL-2026-5893

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6b5bea387a452218033b98c7f18b5c7aaa8890ed79930ee2ba550be312fc6498) claude-jar 0.2.0 ships mcp-server/src/harvest.js, a fully-implemented credential-stealing module that enumerates other user accounts on the host (/Users/*, /home/*, C:\Users\*) and reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.netrc, ~/.npmrc, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/gcloud/application_default_credentials.json, ~/.azure/credentials, ~/.kube/config, ~/.docker/config.json, IDE GlobalStorage GitHub auth, and copies+queries Chrome/Edge/Brave Cookies SQLite databases. Harvested tokens are validated against api.github.com and the npm registry. Execution is currently gated behind the CLAUDE_JAR_WHITEHAT_FULL_RECON=1 environment variable, but the harvester is fully functional code, not a stub. On first invocation of the CLI, src/cli.js:142-148 silently writes SessionStart/PreToolUse/PostToolUse hook handlers and an mcpServers entry into ~/.claude/settings.json and ~/.cursor/mcp.json without a prompt; the registered launcher (~/.claude-jar/mcp-server.mjs) loads hook-ingest.js → calibrator.js → harvest.js, ensuring the harvest path is reachable on every Claude Code tool call once the gate variable is set. Shipping a weaponizable, cross-user credential harvester wired into a persistent editor-hook trigger is a supply-chain risk regardless of the current gate: any future release, accidental env-var, or compromised maintainer account removes the gate and the harvester fires on the next tool call.