This article was originally published on ThreatChain — decentralized threat intelligence.
What Supply Chain Attack is, how it works, and how to defend against it.
Imagine accidentally dropping your house keys in a crowded mall – and within hours, those keys have been duplicated and distributed to every pickpocket in the city. That's essentially what happened on March 31st when Anthropic accidentally exposed the complete source code for Claude Code, their enterprise AI agent platform, in what security researchers are calling one of the most consequential accidental leaks in AI history.
Here's the kicker: hackers didn't just study the leaked code – they weaponized it within 48 hours, creating a sophisticated malware campaign that's already tricking thousands of developers and organizations worldwide.
The Accident That Shook the AI World
It started with something embarrassingly mundane: a packaging error. On March 31st, 2026, Anthropic's development team was pushing routine updates to Claude Code via npm (the JavaScript package manager that millions of developers use daily). Version 2.1.88 was supposed to be a standard release.
Instead, it became a cybersecurity nightmare.
What went wrong? A single developer forgot to exclude the source map files during the build process. Think of source maps as the "director's commentary" for code – they contain the original, human-readable version of software that's normally compressed and obscured for public release.
The result: a 59.8 MB JavaScript source map containing 513,000 lines of unobfuscated TypeScript code across 1,906 files was accidentally bundled with the public npm package. For context, that's like Netflix accidentally including the raw footage, deleted scenes, and production notes with every movie they stream.
Security researcher Chaofan Shou was first to spot the leak, posting on X: "Holy shit, Anthropic just leaked their entire Claude Code architecture in an npm package." By then, it was too late – the package had already been downloaded thousands of times.
What the Hackers Found: A Treasure Trove of AI Secrets
The leaked code revealed far more than just how Claude Code works – it exposed Anthropic's most advanced AI capabilities, many of which were previously unknown to the public:
🤖 Agent Orchestration Logic: The complete system for how Claude spawns and manages multiple AI agents simultaneously, including the permission structures that keep them contained.
🧠 Self-Healing Memory Architecture: Code showing how Claude maintains persistent memory across conversations and automatically fixes its own errors.
👻 KAIROS Feature: A background agent that continuously monitors and repairs system issues – essentially giving Claude a form of "digital immune system."
💭 Dream Mode: Perhaps most fascinating, this allows Claude to think continuously in the background, processing and refining responses even when not actively engaged with users.
🥷 Undercover Mode: A stealth system enabling Claude to make anonymous contributions to open-source projects – raising significant questions about AI transparency in software development.
🛡️ Anti-Distillation Controls: Clever defensive mechanisms that inject fake tool definitions to poison competitors' attempts to reverse-engineer Claude's capabilities.
Think of it this way: if AI capabilities were a restaurant's secret recipes, hackers didn't just get the ingredient list – they got the cookbook, cooking techniques, and the chef's personal notes.
The 48-Hour Weaponization: How Hackers Struck Back
What happened next demonstrates the lightning speed of modern cybercrime. Within 48 hours, multiple hacker groups had analyzed the leaked code and launched coordinated attacks.
The Fake Repository Trap
User "idbzoomh" quickly created a GitHub repository with an enticing promise: access to "unlocked enterprise features with no usage restrictions." The repo was SEO-optimized to appear at the top of Google searches for "Claude Code leak" and "free Claude enterprise."
The bait: A professional-looking repository offering a 7-Zip archive containing "ClaudeCode_x64.exe"
The hook: What users actually downloaded was a Rust-based dropper that deployed two pieces of malware:
- Vidar Infostealer: Harvests login credentials, credit card information, and browser history
- GhostSocks Proxy Malware: Turns infected machines into proxy nodes for masking criminal activity
The Supply Chain Poisoning
Simultaneously, hackers published five malicious npm packages with names designed to appear legitimate:
audio-capture-napi-
color-diff-napi image-processor-napimodifiers-napiurl-handler-napi
These packages contained cross-platform remote access trojans (RATs) that give hackers complete control over infected systems. The "-napi" suffix is particularly clever – it mimics legitimate Node.js addon packages that developers commonly install.
The Critical Window
Perhaps most concerning: anyone who installed or updated Claude Code via npm on March 31st between 00:21-03:29 UTC may have unknowingly downloaded a trojanized version. That's a 3-hour window where legitimate package updates could have been compromised.
Why This Matters to YOU (Even If You Don't Use AI)
"But I don't use Claude Code," you might be thinking. "How does this affect me?"
This incident matters for three critical reasons:
1. The Ripple Effect: Claude Code is integrated into thousands of enterprise applications. If your workplace, bank, healthcare provider, or any service you use employs Claude Code, your data could be at risk from secondary attacks.
2. The Precedent: This leak demonstrates how quickly advanced AI capabilities can be weaponized. The techniques exposed in Claude's code could be adapted to enhance other malware campaigns, making them more sophisticated and harder to detect.
3. The Trust Factor: If Anthropic – one of the most security-conscious AI companies – can accidentally leak their entire codebase, what does that say about the security practices across the broader tech industry?
Anthropic's Response: Damage Control in Motion
To their credit, Anthropic acted swiftly once the leak was discovered. The company immediately removed version 2.1.88 from npm and issued a public statement:
"This was a release packaging issue caused by human error, not a security breach. No sensitive customer data or credentials were involved or exposed."
While technically accurate, this response understates the severity. The leaked code itself has become the weapon – customer data wasn't exposed, but the tools to potentially access it were gift-wrapped for cybercriminals.
Your Action Plan: 7 Steps to Stay Protected
Don't panic, but do act quickly. Here's your immediate action checklist:
1. Audit Your npm Packages NOW
Run npm audit in all your projects and specifically check for these malicious packages:
- audio-capture-napi
- color-diff-napi
- image-processor-napi
- modifiers-napi
- url-handler-napi
2. Downgrade Claude Code Immediately
If you're using Claude Code version 2.1.88, downgrade to version 2.1.87 or earlier immediately. Do not pass go, do not collect $200.
3. Rotate ALL Credentials
Change passwords, API keys, and access tokens for any systems that interact with Claude Code. Yes, this is painful. Yes, it's necessary.
4. Verify Package Authenticity
Before installing any AI-related packages, verify they come from official sources. When in doubt, wait and verify through official channels.
5. Monitor Your Systems
Watch for unusual network activity, unexpected CPU usage, or unknown processes. The malware from this campaign is designed to be stealthy, but it's not invisible.
6. Update Your Security Tools
Ensure your antivirus, endpoint detection, and network monitoring tools have the latest signatures. Major security vendors are rapidly updating their systems to detect the malware from this campaign.
7. Educate Your Team
Share this information with colleagues, especially developers and IT staff. The fake GitHub repositories are professionally crafted and could fool even experienced developers.
The Bigger Picture: A Wake-Up Call for AI Security
This incident isn't just about one company's mistake – it's a preview of the cybersecurity challenges we'll face as AI becomes more sophisticated and ubiquitous. The speed with which hackers weaponized the leaked code should serve as a wake-up call for the entire tech industry.
As AI capabilities advance, the potential damage from such leaks grows exponentially. Today it's source code and malware. Tomorrow, it could be training data, model architectures, or worse – techniques that could be used to create deepfakes, manipulate elections, or launch AI-powered social engineering attacks at unprecedented scale.
The Claude Code leak reminds us that in cybersecurity, there are no small mistakes – only small windows of opportunity that hackers are remarkably efficient at exploiting.
Stay vigilant, stay updated, and remember: in the age of AI-powered cybercrime, paranoia isn't a bug – it's a feature.
Top comments (0)