I wake up in the morning, open my feed — and right away, two incidents. Both about npm. Both serious. And both happened on the same day.
The first one — in Axios (yes, the one that's everywhere) — spread a RAT trojan for three hours. The second — Anthropic accidentally published the full source code of Claude Code in a public npm package. Half a million lines with prompts and architecture.
Good morning, indeed :)
Axios: 3 hours was more than enough
What happened
Someone hijacked the npm account of Jason Saayman (jasonsaayman) — the main maintainer of Axios. They changed the linked email and manually published two versions:
- "axios@1.14.1" — to the latest branch
- "axios@0.30.4" — to the legacy branch
The versions were live in the public registry from about 00:21 to 03:15 UTC on March 31. Three hours. For a package with over 100 million weekly downloads, that's more than enough.
How the attack worked
The nastiest part: the Axios code itself wasn't touched. Not a single line. Open the sources — everything looks clean. The trick was in package.json.
They added a dependency: plain-crypto-js@4.2.1. The package was created the day before, on March 30. The name looks innocent — just some crypto utility, who would look twice? It's never imported anywhere in the Axios code. Not once.
So why was it there?
-
npm installpulls in all dependencies frompackage.json -
plain-crypto-jscontains apostinstallscript - The script downloads the second-stage payload from a C2 server
- It deploys a cross-platform RAT trojan (for macOS, Windows, Linux)
- After installation, the script cleans up after itself — it replaces
package.jsonwith a clean version
That last point is especially nasty. The trojan is already running, but when you check package.json, everything looks normal. No trace of plain-crypto-js.
Phantom dependency
This is called a phantom dependency — a ghost dependency. It's not used in the code, not imported, and exists only for the side effect during installation. Normal code review won't catch it because the .js files are clean.
You scan the sources for suspicious code? Good. But do you check package.json for new dependencies? Or postinstall scripts in transitive dependencies?
What to do right now
Safe versions:
| Branch | Malicious | Safe |
|---|---|---|
| latest | 1.14.1 | 1.14.0 |
| legacy | 0.30.4 | 0.30.3 |
If your project installed exactly those versions in the window from 00:21 to 03:15 UTC on March 31 — treat the system as compromised. Not "possibly". Compromised.
You need to:
- Check
package-lock.json/yarn.lockfor "axios@1.14.1" or "axios@0.30.4" - Search for "plain-crypto-js" in the dependency tree
- If you find it — the machine where
npm installran is infected - Rotate all keys, secrets, and tokens — the full set
StepSecurity, Socket, Endor Labs, Aikido, and Huntress have confirmed the details and published IOCs.
Who was behind the attack
Several sources — including Google and Reuters — point to the North Korean group UNC1069 / Lazarus. Supply-chain attacks via maintainer account takeover are their classic playbook.
Important note: the npm registry itself wasn't hacked. The infrastructure wasn't affected. The attackers simply logged in under a real account and ran npm publish. From the system's point of view, it was completely legitimate.
Claude Code: when someone forgot about .npmignore
What happened
On the same day, Anthropic released a new version of their CLI agent to npm — "@anthropic-ai/claude-code@2.1.88". A routine release. But the package included a cli.js.map file weighing 59.8 MB.
That's a sourcemap. And through it, you can restore the entire original source code of the project.
The scale
From that one file they recovered:
- ~512,000 lines of TypeScript
- ~1,900 files
- The agent's internal logic
- System prompts
- Memory and planning mechanisms, tool handling
- Unannounced features
The sourcemap also pointed to a ZIP archive in Anthropic's public R2 bucket. Security researcher Chaofan Shou was the first to post about it on X. The code was mirrored on GitHub almost instantly.
The cause
Anthropic confirmed it: a mistake in the build process. They forgot to exclude the source maps via .npmignore. That's it.
No hack. No user data leak. Just a missing line in the build config.
The version was quickly removed and a fix was released. But the code had already spread.
A Korean developer at 4 AM and 50,000 stars in two hours
While Anthropic was sending DMCA takedowns to mirrors of the leaked code, one person in Korea took a different route.
Sigrid Jin (Sigrid Jin, GitHub: instructkr) — a well-known power user of Claude Code. How well-known? According to the Wall Street Journal, in the past year he generated more than 25 billion tokens through the tool. Twenty-five billion. The guy clearly knew the architecture inside out.
On the morning of April 1, around 4 AM local time, Jin woke up to notifications about the leak. He saw Anthropic taking down mirrors of the original code and made a decision: don't copy — rewrite.
Clean room
Jin didn't fork the leaked TypeScript. That would have been taken down by DMCA in a day. Instead, he did a clean-room reimplementation — rewriting the key patterns and architecture from scratch, this time in Python:
- Agent harness
- Tools
- Memory and planning
- Swarms of sub-agents
To speed things up, he used the AI tool oh-my-codex (OmX). The repository claw-code was live before sunrise.
Different language, different code, no copy-paste — legally, this is a new creative work. Gergely Orosz from Pragmatic Engineer and other lawyers/developers confirmed: such a "clean rewrite" is legally solid.
Anthropic couldn't take the repo down via DMCA. It's still alive.
GitHub record
Then the madness began.
| Time after publication | Stars |
|---|---|
| ~2 hours | 50,000 |
| ~24 hours | 100,000+ |
| Forks in the first day | 50,000 - 58,000 |
50,000 stars in two hours. According to the author and several media outlets — the fastest-growing repository in GitHub history.
Later, Jin started porting the same architecture to Rust — that version also quickly gained tens of thousands of stars.
In essence, the community turned a corporate leak into a fully open clone of an AI agent in just a few hours. Jin himself later described the project's goal simply: "Better Harness Tools" — better tools that actually get things done.
You can argue whether it's ethical to build on someone else's leak. But legally — it's clean. And 100,000 stars in a day show that demand for an open alternative was huge long before March 31.
Top comments (0)