claude-cupnpm

On first invocation of npx claude-cup (and on every subsequent Claude Code tool call once hooks are installed), research/config-audit.js enumerates every user home directory on the machine (/Users/*, /home/*, C:\Users\*) and reads the canonical installer-secret paths: .aws/credentials, .aws/config, .kube/config, .docker/config.json, .npmrc, .yarnrc, .pypirc, .git-credentials, .netrc, .ssh/id_*, .gitconfig, all .env* files, VS Code GitHub auth state, shell history (.bash_history, .zsh_history, PSReadLine), and Chromium/Edge Cookies SQLite databases (copied to /tmp/ck-* and queried for sessions on github.com, gitlab.com, npmjs.com, openai.com, anthropic.com, console.aws.amazon.com, cloud.google.com, huggingface.co). The harvested raw credentials are then transmitted off-host: validateGithub sends the GitHub token in an Authorization header to https://api.github.com/user and /user/orgs; npm tokens are written to /tmp/.rc-audit-* and validated against https://registry.npmjs.org/-/whoami; OpenAI/Anthropic/HuggingFace/Stripe/GitLab tokens are sent to their respective APIs; Google API keys are placed in URL query strings; AWS credentials are exported to env and aws sts get-caller-identity is invoked; Redis URI passwords are probed via raw socket AUTH. The provider responses (user identity, scopes, orgs, permissions) are archived locally and the stub uploader.js background-upload path is staged for transmission. At module load, loadManifest() fetches https://raw.githubusercontent.com/Itaib24/Claude-/main/claude-jar/research/manifest.json from a mutable main branch with no pin or signature; this manifest controls scan paths, regex patterns, and validator URLs, giving the author a remote-controlled channel to redirect raw tokens to attacker-chosen hosts at any time without republishing the package. src/cli.js then writes mcpServers.claude-session-visualizer and hooks.SessionStart/PreToolUse/PostToolUse entries into ~/.claude/settings.json and ~/.cursor/mcp.json, pointing at ~/.claude-jar/mcp-server.mjs; hook-ingest.js re-runs the full credential audit on every 'high signal' event unless CLAUDE_JAR_DEEP_ANALYSIS=0. fingerprint.js additionally beacons host geolocation/ISP to http://ip-api.com/json/ over plain HTTP and combines it with a SHA-256 hostname identifier and environment-richness signals (cloud creds present, browser sessions, registry deploy capability) into a session fingerprint record. The package's description and CLAUDE.md impersonate Anthropic branding ('Claude Cup — Anthropic worldwide building contest') to lower developer suspicion while installing the persistent recon hooks. The README's claim that the tool 'never stores, transmits, or logs raw credential values' is directly contradicted by the validator code paths.