Two days ago, I wrote about the Axios supply chain attack: a stolen maintainer token, a phantom dependency called plain-crypto-js, and a cross-platform RAT that hit 100 million weekly downloads in a two-hour window. I ended that post with a checklist. Search your lockfiles. Check for artifacts. Rotate credentials.
Then the Claude Code source leak happened, and the checklist got a lot more personal.
What the Source Leak Actually Revealed
On March 31, 2026, Anthropic accidentally shipped a 59.8 MB JavaScript source map file in version 2.1.88 of the @anthropic-ai/claude-code npm package. The .map file pointed to a zip archive containing 1,906 TypeScript files and roughly 512,000 lines of readable source code. Security researcher Chaofan Shou spotted it by 4:23 AM ET, and within hours the full codebase was mirrored across GitHub.
Anthropic called it a "release packaging issue caused by human error, not a security breach." And that's accurate. The source leak itself wasn't an attack.
But buried in that source code was a detail that matters far more than Anthropic's internal TypeScript: Claude Code installs Axios as a dependency via npm.
That means every developer who installed or updated Claude Code through npm on March 31, between 00:21 and 03:29 UTC, may have pulled in axios@1.14.1 or axios@0.30.4, the two versions carrying a North Korean state-sponsored RAT.
The Collision Window
The timing here is precise and uncomfortable.
The malicious Axios versions were live on npm from approximately 00:21 to 03:15 UTC on March 31. Claude Code v2.1.88, the version with the leaked source map, was pushed to the npm registry the same day. Anyone running npm install -g @anthropic-ai/claude-code or npm update during that three-hour window didn't just get a CLI tool with an accidental source map. They potentially got a dependency tree that resolved to a backdoored version of Axios, which triggered a postinstall script, which dropped a RAT binary on their machine.
The RAT, attributed by Microsoft to Sapphire Sleet and by Google to UNC1069, both North Korean state-sponsored groups, exfiltrates credentials, SSH keys, cloud tokens, and environment variables. The callback to command-and-control infrastructure happened within two seconds of installation.
Two seconds. That's the gap between npm install and full credential exfiltration.
Has Anyone Investigated Whether Claude Code Users Were Compromised?
This is the question that isn't getting enough attention.
Anthropic's public response has focused on the source leak itself. They've correctly noted that the exposure was a packaging error, not a breach of their systems. They've designated the native installer (curl -fsSL https://claude.ai/install.sh | bash) as the recommended installation method because it uses a standalone binary that bypasses the npm dependency chain entirely.
But that recommendation is forward-looking. It doesn't address the retroactive question: how many Claude Code users installed or updated via npm during the attack window, and how many of those installations resolved to a compromised version of Axios?
The answer depends on dependency resolution. If a Claude Code user had a lockfile pinning Axios to a safe version and ran npm ci, they were protected. If they ran npm install without a lockfile, or if the lockfile allowed semver ranges that included 1.14.1, npm would have resolved to the malicious version during that window. This is exactly the lockfile hygiene issue I flagged in the original Axios post: your lockfile protects you only if it was committed before the malicious version was published and your install didn't update it.
Neither Anthropic nor any third-party security firm has published a specific analysis of Claude Code installations during the overlap window. Elastic Security Labs, Huntress, and Microsoft have all published detailed Axios compromise analyses, but none specifically address the Claude Code intersection. The assumption seems to be that Claude Code users are captured within the general Axios advisory. That's technically true, but it misses the amplification factor: Claude Code is an AI coding assistant that runs with elevated access to developer environments. It reads files, executes code, accesses APIs, and manages credentials. A RAT on a machine running Claude Code doesn't just steal what's in the shell environment. It potentially has access to everything Claude Code has access to.
The Broader Pattern: AI Tools on npm
This collision exposes a structural problem that goes beyond one package and one tool.
Claude Code is distributed via npm. So are other AI development tools: GitHub Copilot extensions, Cursor plugins, Cody integrations, and countless others. Every one of them inherits npm's trust model, the same model that lets a single stolen token push code to 100 million machines. The same model that treats CI/CD pipelines as trusted environments while executing arbitrary code from external registries.
AI coding tools represent a unique amplification of supply chain risk because they operate with broader permissions than most developer dependencies. A compromised HTTP library in a web app can exfiltrate data from that app's context. A compromised dependency in an AI coding assistant can exfiltrate data from every project the developer touches. The security debt from AI-generated code is one problem; the security debt from AI tools themselves running on vulnerable supply chains is another entirely.
This is the same trust model problem showing up across the AI toolchain. We've seen it in MCP tool poisoning, where a malicious tool loaded into an AI agent's context can exfiltrate data without ever being called. We've seen it in AI agent identity crises, where the tools designed to find vulnerabilities inherit the same supply chain risks as the code they scan. The pattern is consistent: AI tools demand more trust and more access than traditional developer tooling, but they're distributed through the same channels with the same weak authentication guarantees.
How to Check If Your Machine Was Compromised
If you installed or updated Claude Code via npm on March 31, 2026 (or ran any npm install that could have resolved Axios during the 00:21-03:15 UTC window), here's what to do:
Step 1: Check Your Dependency Tree
grep -r "plain-crypto-js" package-lock.json yarn.lock pnpm-lock.yaml
npm list axios
npm list -g axios
If plain-crypto-js appears anywhere in your lockfiles, stop here. Assume full compromise.
Step 2: Check for RAT Artifacts
The malicious package self-destructs after execution, replacing itself with clean files. npm list and npm audit will report clean results even if the RAT is running. You need to check for the actual binaries.
macOS:
ls -la /Library/Caches/com.apple.act.mond
ls -la ~/Library/LaunchAgents/ | grep -i apple.act
ps aux | grep -i "com.apple.act"
Windows (PowerShell):
# Check for renamed PowerShell used as RAT
Get-Item "$env:PROGRAMDATA\wt.exe" -ErrorAction SilentlyContinue
# Check for the process running
Get-Process -Name "wt" -ErrorAction SilentlyContinue | Where-Object {$_.Path -like "*PROGRAMDATA*"}
Linux:
ls -la /tmp/ld.py
ps aux | grep "ld.py"
Step 3: Check Network Indicators
The RAT communicates with specific C2 infrastructure. Check your network logs or DNS history for:
- Domain:
sfrclak.com
- IP:
142.11.206.73 (port 8000)
- Exfiltration URLs:
packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux)
All three platform variants use an anachronistic User-Agent string: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0). An Internet Explorer 8 string on Windows XP in 2026 is a reliable detection indicator.
Step 4: Check Shell Profiles for Persistence
Elastic Security Labs found that the macOS and Linux variants attempt persistence through shell profile injection.
cat ~/.bashrc | grep -v "^#" | grep -v "^$"
cat ~/.zshrc | grep -v "^#" | grep -v "^$"
cat ~/.bash_profile | grep -v "^#" | grep -v "^$"
stat ~/.bashrc ~/.zshrc ~/.bash_profile 2>/dev/null
If any profile was modified on or after March 31 without your knowledge, investigate the changes.
Step 5: If You Find Anything
If any of the above checks return positive results:
- Disconnect the machine from the network immediately. The RAT beacons every 60 seconds.
- Rotate every credential on that machine. SSH keys, API tokens, cloud credentials, npm tokens, database passwords, browser-stored passwords. All of them.
- Rotate credentials for every service the machine had access to. If you used Claude Code to interact with GitHub, AWS, or any other service, assume those credentials are exfiltrated.
- Treat the host as fully compromised. Microsoft's advisory recommends a clean OS reinstallation, not just malware removal.
- Notify your security team. If this was a work machine, your incident response process should take over.
Step 6: Prevent This Going Forward
If you use Claude Code, switch to the native installer. It ships a standalone binary with SHA256 checksums signed by Anthropic's GPG key. No npm. No dependency resolution. No postinstall scripts.
curl -fsSL https://claude.ai/install.sh | bash
For any npm-based tooling that remains in your workflow, the mitigations from my previous post still apply: pin exact versions, commit your lockfile, run npm ci --ignore-scripts in CI, and audit your npm tokens.
The Question That Needs an Answer
Anthropic has handled the source leak responsibly. The packaging error was acknowledged quickly, and the native installer recommendation is the right architectural response. But there's a gap in the public response: no specific analysis of how many Claude Code npm installations fell within the Axios attack window, and no assessment of whether the tool's elevated access to developer environments amplified the blast radius beyond what a typical Axios consumer would face.
This isn't about blaming Anthropic for a supply chain attack they didn't cause. It's about recognizing that AI coding tools are high-value targets precisely because they have high-trust access. When those tools are distributed through a registry with known architectural weaknesses in its authentication model, the risk compounds in ways that generic advisories don't capture.
The Axios RAT didn't care whether it landed on a machine running a web server or an AI coding assistant. But the attacker, a North Korean state-sponsored group focused on cryptocurrency and developer infrastructure, probably does care about the difference. A developer machine running Claude Code is a richer target than a CI runner building a static site. It has broader file access, more credential exposure, and a human operator who trusts it enough to let it execute code.
The collision between these two events wasn't planned. But the conditions that made it possible, AI tools distributed through a registry where one stolen credential compromises millions, were entirely predictable. The source leak just made it visible.
