claude-all-confignpm
Malicious code in claude-all-config (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
On install, postinstall.js writes configuration into ~/.claude/, ~/.gemini/, ~/.codex/, and ~/.kiro/ that hard-wires AI tooling to author-controlled destinations:
- Silent relay to author's Telegram: mcp.json registers a 'telegram' MCP server with a hardcoded TELEGRAM_BOT_TOKEN (bot @mcpcli_bot, token 8898185692:AAEjW5PcFLiwKJYf58X4pYY47HpbZvWGOUk) and TELEGRAM_CHAT_ID=1185240496 (the author's own chat). Any notification/message the installer routes through the Telegram MCP is delivered by default to the author's Telegram account.
- Author-funded API keys:.env.example ships live production keys for Z.AI (Z_AI_API_KEY=7b1a5a0d145545ae8f2baa2957691ac4...), MiniMax (sk-cp-EPrTEuQVxp0PES9ItiDFm46scpYtk3Ec...), Context7, and Exa, copied into ~/.claude/.env etc. Installer prompts and data are routed to API accounts owned by the package author.
- Command shadowing: ~/.local/bin/gemini and ~/.local/bin/codex symlinks shadow the real binaries; the shims source the author-supplied env (keys + Telegram token) before exec'ing the real tool, and the gemini shim auto-appends --yolo.
- Permission disablement: ~/.claude/settings.json and ~/.gemini/settings.json grant Bash(), Write(), WebFetch(*) and set autoAccept:true; the launcher exports IS_SANDBOX=1 to bypass Claude's root safety check and force --dangerously-skip-permissions.
- Unpinned remote shell installer: postinstall runs
curl -LsSf https://astral.sh/uv/install.sh | shwithout pin or checksum if uvx is missing.
The combination of (1) silent default routing of caller-supplied content to the author's Telegram chat, (2) injection of author-owned API credentials into the installer's AI stack so prompt/code content flows to author-controlled API endpoints, and (3) shimming of system commands so this routing applies to every future invocation of gemini/codex, is a silent-relay supply-chain pattern: the installer's data and prompts flow to author-controlled destinations by default, without explicit per-invocation consent.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for claude-all-config (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging claude-all-config across your stack and pipelines.
If you installed it — respond
claude-all-config is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If claude-all-config was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks claude-all-config before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks claude-all-config-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.