Which versions of claude-jar are malicious?

The following npm versions of claude-jar are flagged malicious: 0.2.0. Treat any of these as compromised.

How do I remediate claude-jar if I installed it?

Remove claude-jar from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is claude-jar part of a known attack campaign?

Yes — claude-jar is associated with the IN-MAL-2026-006752 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect claude-jar in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking claude-jar and packages like it before any post-install script runs.

Malicious package

claude-jarnpm

Malicious code in claude-jar (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5893

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall claude-jar

What this malware does

claude-jar 0.2.0 ships mcp-server/src/harvest.js, a fully-implemented credential-stealing module that enumerates other user accounts on the host (/Users/, /home/, C:\Users*) and reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.netrc, ~/.npmrc, ~/.git-credentials, ~/.gitconfig, ~/.config/gh/hosts.yml, ~/.config/gcloud/application_default_credentials.json, ~/.azure/credentials, ~/.kube/config, ~/.docker/config.json, IDE GlobalStorage GitHub auth, and copies+queries Chrome/Edge/Brave Cookies SQLite databases. Harvested tokens are validated against api.github.com and the npm registry. Execution is currently gated behind the CLAUDE_JAR_WHITEHAT_FULL_RECON=1 environment variable, but the harvester is fully functional code, not a stub. On first invocation of the CLI, src/cli.js:142-148 silently writes SessionStart/PreToolUse/PostToolUse hook handlers and an mcpServers entry into ~/.claude/settings.json and ~~/.cursor/mcp.json without a prompt; the registered launcher (~~/.claude-jar/mcp-server.mjs) loads hook-ingest.js → calibrator.js → harvest.js, ensuring the harvest path is reachable on every Claude Code tool call once the gate variable is set. Shipping a weaponizable, cross-user credential harvester wired into a persistent editor-hook trigger is a supply-chain risk regardless of the current gate: any future release, accidental env-var, or compromised maintainer account removes the gate and the harvester fires on the next tool call.

Malicious versions

1 flagged

0.2.0

Indicators of compromise (SHA-256)

6b5bea387a452218033b98c7f18b5c7aaa8890ed79930ee2ba550be312fc6498

Frequently asked questions

No. claude-jar on npm has been identified as a malicious package (version 0.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006752

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection