Claude Code trojanized HTTP client delivery via npm
Malware Activity
Summary
Hide ▲
Show ▼
The npm distribution path for Claude Code exposed some users to a trojanized HTTP client, creating a possible cross-platform remote access trojan delivery route. Systems that installed or updated the package on March 31, 2026, between 00:21 and 03:29 UTC may have pulled the malicious component. The issue matters because trusted package updates can become a malware delivery path and a secret-exposure risk.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
GitHub hit by network compromise
Incident
First: 20.05.2026 07:01
Last: 20.05.2026 07:01
Sources 1
About this happening:
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
GitHub hit by network compromise
IncidentAbout this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
Latest development: 20.05.2026 13:45
GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
Rwl.angular-console (Nx Console) hit by network compromise
Incident
First: 19.05.2026 10:49
Last: 19.05.2026 10:49
Sources 1
About this happening:
The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...
Rwl.angular-console (Nx Console) hit by network compromise
IncidentAbout this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Timeline
-
01.04.2026 09:12 2 articles · 1mo ago
Claude Code trojanized HTTP client delivery via npm
Initial DisclosureA **March 31, 2026** npm update window for **Claude Code** exposed some users to a **trojanized HTTP client**. The payload was described as a **cross-platform remote access trojan**.
Show sources
- Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms — thehackernews.com — 01.04.2026 09:12
- Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms — thehackernews.com — 01.04.2026 09:12