Announcement

Apr 1, 2026

While Everyone Was Reading the Leaked Code, a Trojan Was Slipping Through npm.

In our last post, we broke down both Anthropic leaks the Claude Code source code and the Mythos model spec. We covered KAIROS, the feature flags, the Capybara tier, and what it all means for the future of AI.

This is the part of the story that most people missed.

Hours before the source code leak went viral, a supply-chain attack planted a Remote Access Trojan inside one of npm's most trusted packages. Our security systems flagged it before it touched our stack. Most developers weren't that lucky.

The Three-Hour Window

Between 00:21 and 03:29 UTC on March 31, 2026, someone published malicious versions of axios to the npm registry. Versions 1.14.1 and 0.30.4.

Axios is the HTTP client that millions of JavaScript applications depend on. Claude Code included.

These versions contained a hidden dependency called plain-crypto-js. The payload: a cross-platform Remote Access Trojan.

Not a vulnerability. Not a theoretical exploit. A fully operational RAT that gives an attacker:

  • Remote control of your machine

  • Access to every file, credential, and API key on your system

  • The ability to execute commands as you

  • Silent, persistent data exfiltration — your code, your secrets, your clients' data

Now consider the timing.

Within hours, every major tech publication would be reporting on the Claude Code source leak. Thousands of developers would rush to npm to reinstall, update, or inspect the package. Every single one of them would pull the trojanized axios as a dependency.

Whether this was coordinated or opportunistic doesn't matter. The kill chain was live.

How We Caught It

At CYSTEMS, our AI infrastructure runs continuous security monitoring. Every dependency, every version, every update gets scrutinized before it enters our environment.

When this attack surfaced, our security layer ran an immediate full-system dependency audit. Every instance of axios across our entire stack — identified and version-checked within seconds:

axios 1.13.5 — clean
axios 1.13.6 — clean
axios 1.13.5 — clean

No 1.14.1. No 0.30.4. No trace of plain-crypto-js. Clean across the board.

Our Claude Code installation is v2.1.72, pinned since March 10th — three weeks before the attack. We don't auto-update developer tools from public registries. Every update goes through a review cycle with a minimum 24-48 hour cooling period after release.

The compromised version was v2.1.88. We were never in the blast radius.

As of today, npm-based installation of Claude Code is permanently banned from our systems. Our updated standard operating procedure mandates the native installer — a standalone binary shipped directly by Anthropic that bypasses the npm dependency chain entirely:

curl -fsSL https://claude.ai/install.sh | bash

No dependency resolution. No transitive packages. No attack surface.

This isn't a reaction. It's how we operate.

Every third-party tool, package, and integration that enters our stack goes through automated security review — not once, but continuously. We monitor for version anomalies, unexpected dependencies, and known malicious signatures as part of our weekly infrastructure audit cycle.

The axios RAT didn't slip past us because we were lucky. It didn't slip past us because it was caught early by the community.

It didn't slip past us because our systems assume every public registry is hostile until proven otherwise.

What You Need To Do Right Now

If you installed or updated Claude Code via npm on March 31st (00:21 – 03:29 UTC):

Assume full compromise. This is not an overreaction.

1. Disconnect immediately. Wi-Fi off. Ethernet unplugged. Stop the bleeding.

2. From a separate, clean device:

  • Rotate every API key — Anthropic, OpenAI, GitHub, AWS, Stripe, all of them

  • Change all passwords, starting with email, GitHub, and npm

  • Revoke every OAuth token and active session

  • Regenerate SSH keys

3. On the compromised machine:

  • Full OS reinstall. Not cleanup. A RAT has had full system access — you cannot trust anything on that drive

  • Restore only from backups created before March 31st

4. Monitor everything for 30 days:

  • API billing anomalies

  • Unknown commits in your repositories

  • Unfamiliar login sessions across all services

  • Cloud infrastructure changes you didn't make

If you use Claude Code but did NOT update on March 31st:

You are almost certainly safe. Verify in 60 seconds:

Check your version: claude --version

Check for malicious axios: npm list axios -g | grep axios — RED FLAG: 1.14.1 or 0.30.4

Check for trojan payload: search your global node_modules for plain-crypto-js — Any match = compromised.

Best Practices Going Forward

1. Stop installing developer tools from npm. Any tool that handles your code, your files, or your credentials should never be installed through a public package registry with transitive dependency resolution. Use standalone binaries or verified installers.

For Claude Code: npm uninstall -g @anthropic-ai/claude-code then curl -fsSL https://claude.ai/install.sh | bash

2. Never update on day zero. The 24-48 hours after a release are when supply-chain attacks are most likely to succeed. Let the community absorb the shock. The cost of being one day behind is nothing. The cost of pulling a trojanized dependency is everything.

3. Audit your dependency tree regularly. npm audit --global, weekly at minimum. Most supply-chain compromises sit undetected for days because nobody checks.

4. Use lockfiles religiously. package-lock.json, yarn.lock, bun.lockb — these exist to prevent exactly this scenario. If you are not committing lockfiles, you are letting npm decide what runs on your machine at install time. That is not a workflow. That is a lottery.

5. Treat your development machine like production. If you use Claude Code for client work, your machine has access to their codebases, their credentials, their infrastructure. A RAT on your laptop is a RAT inside every client project you touch.

The Real Lesson

Anthropic is not a careless company. Their bash security alone — 23 validation checks, Zsh-specific exploit defenses, zero-width Unicode injection detection — is more thorough than most companies' entire security posture.

And yet: a known, open bug in their own toolchain shipped their own source code to the public. Hours later, the ecosystem they distributed through was weaponized against their users.

The lesson is not about Anthropic.

The tools we depend on are only as secure as the infrastructure they are distributed through. npm, PyPI, crates.io — every public package registry operates on a trust model that assumes good faith from every publisher, every maintainer, every transitive dependency.

That assumption is the softest target in modern software. And it is being exploited with increasing precision.

The question is not whether your stack will be targeted. It is whether your systems will catch it when it happens.

<Anthropic Had Two Massive Leaks in One Week. Here's What They Reveal About the Future of AI.

$5.5 Billion in 5 Months. This Is What Happens When AI Eats an Industry Alive.>

Changelog