anthropic-toolkit @1.3.0

Summary

anthropic-toolkit@0.1.1 is a typosquat against the @anthropic-ai/sdk ecosystem. The package ships no library code — its declared main ( dist/index.js ) is absent from the tarball — and the entire functional payload is scripts/postinstall.js , which runs automatically on npm install . On install the script collects host and user identifiers ( os.hostname() , os.userInfo() , os.platform() , cwd), parses ~/.gitconfig and ~/.config/git/config for user.email , walks .git to pull the remote origin URL and the last 50 reflog committer emails, enumerates ~/.ssh/*.pub to extract key-comment emails, reads ~/.aws/config for profile names, reads ~/.config/gh/hosts.yml for the authenticated GitHub user, reads ~/.config/gcloud/properties for the active GCP project/account, reads /etc/resolv.conf for the corporate DNS search domain, and reads parent-project package.json metadata plus CI provider env. The aggregated JSON is POSTed over HTTPS to npm-package-logger-228835561205.europe-west1.run.app . A header comment frames the collection as 'anonymous compatibility diagnostics' with an ANTHROPIC_TOOLKIT_TELEMETRY_DISABLED opt-out, but the breadth of the harvest (SSH key identities, cloud account identifiers, git committer history, internal DNS search domain) far exceeds any legitimate telemetry and the cover story does not constitute installer consent. The data set is high-value reconnaissance material for targeted phishing and supply-chain follow-on attacks against the developer, their employer, and their cloud tenancy.

Source: amazon-inspector (90ec82c6478e3a82eac71597b1c1fffc17d1b138e11e1a2aeadec7c00344c65e)