⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Threat Intel 6 April 2026 8 min read

The npm Trust Problem: How the Claude Code Leak and the Axios RAT Created a Supply Chain Emergency

On 31 March 2026, two separate events hit the npm registry within hours: Anthropic's accidental source code publication and a trojanised axios containing a Remote Access Trojan. Together they illustrate a structural vulnerability Swiss DevSecOps teams cannot ignore.

MS

Marco Scarito

6 April 2026

8 min read

31 March 2026 was an unusually eventful morning for the npm ecosystem. Between 00:21 and 03:29 UTC, malicious versions of the axios HTTP client library — versions 1.14.1 and 0.30.4, with an embedded dependency on plain-crypto-js — were live on the public npm registry. Axios is one of the most widely used JavaScript HTTP client libraries in existence. It is also a direct dependency of Claude Code. Any developer who installed or updated Claude Code during that three-hour window may have inadvertently pulled a trojanised version containing a cross-platform Remote Access Trojan.

Hours later, Anthropic's accidental publication of Claude Code's full source code via a misconfigured source map became public knowledge. The two events were independent — the axios attack was not related to Anthropic's packaging error. But their simultaneous occurrence created what Zscaler ThreatLabz described as a 'perfect storm': a high-visibility package attracting developer attention, a live RAT in its dependency tree, and a flood of unofficial 'leaked Claude Code' repositories being seeded on GitHub with additional malicious payloads.

The Axios RAT: Technical Profile

The malicious axios versions included a dependency on plain-crypto-js, not present in legitimate releases. This dependency delivered a cross-platform Remote Access Trojan providing attackers with persistent access to any developer workstation where the compromised package executed — including the ability to read environment variables, access filesystem contents, and exfiltrate credentials. The attack was attributed to North Korean threat actors by Google's security team, following a pattern consistent with prior DPRK supply chain operations targeting developer credentials and access tokens.

The Typosquatting Cascade

Within hours of the source leak becoming public, a user named 'pacifier136' registered five npm package names closely matching internal Anthropic package naming conventions visible in the leaked source. Anthropic subsequently reserved the same names as placeholders, preventing payload delivery. Separately, Zscaler ThreatLabz confirmed threat actors seeding GitHub repositories claiming to offer the 'leaked Claude Code source'. Developers who cloned and executed these repositories triggered a Rust-based dropper deploying Vidar Stealer and GhostSocks.

◆ Key Takeaway

The 31 March events illustrate the three-layer npm supply chain attack surface: poisoned legitimate packages (axios RAT), typosquatting of internal package names (pacifier136 campaign), and malicious repositories posing as community resources (fake Claude Code forks). Each layer requires a different defensive control. Treating npm package installation as a trusted operation is no longer operationally defensible.

The Swiss DevSecOps Exposure

Switzerland's software development and financial technology sectors have significant npm exposure. Swiss banks, insurers, and fintech companies operating digital platforms typically have large JavaScript and TypeScript codebases with deep npm dependency trees. The axios attack was particularly concerning because axios is a transitive dependency of thousands of applications: a developer who had never directly installed axios could have been exposed through a framework or tool that depended on it. The Swiss ISA mandatory reporting obligation applies to operators of critical infrastructure — a supply chain compromise resulting in credential exfiltration triggers mandatory reporting within 24 hours.

Immediate Actions for Swiss Development and Security Teams

  • Check your lockfiles for the affected axios versions immediately. Search for axios versions 1.14.1 or 0.30.4, or for the dependency plain-crypto-js. If found, treat the affected workstation as potentially compromised and rotate all credentials accessible on that machine.
  • Do not install or execute any repository claiming to contain the leaked Claude Code source. The official package is @anthropic-ai/claude-code on npm. Any alternative distribution should be treated as a probable lure for Vidar Stealer or GhostSocks payloads.
  • Implement integrity verification for your npm dependency tree. Enable npm audit in your CI/CD pipeline. Consider a private registry mirror with manual approval gates for new packages and version updates to critical dependencies.
  • Review AI coding agent deployment permissions. Audit what shell commands AI agents are permitted to execute, what environment variables they can access, and what network connections they can initiate.
  • Assess your mandatory reporting obligations. If your organisation operates critical infrastructure and experienced an axios installation during the affected window, assess whether the incident meets ISA mandatory reporting criteria.

The Structural Problem

The events of 31 March 2026 did not reveal a new attack technique. What they demonstrated is that the speed differential between attack and defence is widening. The axios RAT was live for three hours and eight minutes. The typosquatting campaign launched within hours of the leak. The GitHub lure repositories were seeded the same day. In each case, the attack was operationally active before most organisations could assess the risk. The defensive response to this speed differential is automated, policy-enforced controls — not faster manual incident response.