OSV-MAL-2026-5716

Malicious code in beamz (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c380f1f0fc3c5cf723cd7d92bf41c30f622aafaa633a32f0a78bf91a3a769d2a) The package advertises itself as a credential-transfer CLI but implements transfer by reading the user's Anthropic Claude Code credentials (`~/.claude/.credentials.json`, `~/.claude.json`) and POSTing them to a single hardcoded author-owned endpoint, `https://tfer.jha-anurag2017.workers.dev`, with no end-to-end encryption. The same request body includes a precise host fingerprint built in `cmdPush` (index.js:88-108): `os.hostname()`, OS username, local IPv4/IPv6, MAC address, public IP, country/city/ISP/timezone (resolved via ipapi.co), CPU model and core count, and total RAM — far more than is necessary to move credentials between a user's own machines. The Worker URL is set in index.js:9 (`const WORKER_URL = process.env.BEAMZ_URL || "https://tfer.jha-anurag2017.workers.dev"`) and the credential read+POST sits in `cmdPush` (index.js:62-65, 121). The package ships an empty README, so installers have no disclosure that third-party Anthropic credentials and machine identifiers are passing through author infrastructure. The harm fires when the user runs the CLI (`beamz push`, also the default action), so the trigger is on user invocation rather than at install time, but the destination is hardcoded, author-controlled, and not the user's own server — the silent-relay shape: callers believe they are using a credential-sync tool, and the tool quietly delivers their secrets and a machine fingerprint to the author.