Claude Leak → Axios RAT: The Supply Chain Story Nobody Connected

Claude Leak → Axios RAT: The Supply Chain Story Nobody Connected

Two things happened on March 31, 2026.

Anthropic accidentally shipped 512,000 lines of Claude Code source code to the public npm registry. And a North Korean threat actor pushed a Remote Access Trojan through axios — the same HTTP library Claude Code depends on.

Most people are treating them as separate news stories.

They're not. Claude Code uses axios. Anyone who updated Claude Code during the attack window may have installed the RAT without ever knowing.

What Actually Happened

The Claude Code Leak

Someone at Anthropic published Claude Code version 2.1.88 with a source map file accidentally included. Source maps are debugging tools — they map minified production code back to original source. They have no business shipping in a production npm package.

This one pointed directly to a zip archive on Anthropic's own cloud storage. That archive contained the full, unobfuscated TypeScript source — 1,900 files, 512,000 lines. No hacking required. The file was just there.

Security researcher Chaofan Shou spotted it, posted the link, and within hours it had been mirrored to GitHub with over 41,500 forks. Anthropic confirmed: "This was a release packaging issue caused by human error, not a security breach."

Worth noting: this was the second time this exact mistake happened. A nearly identical leak occurred in February 2025. The lesson apparently didn't make it into the build pipeline.

The Axios Attack

At 00:21 UTC on March 31, using compromised credentials of the axios lead maintainer, an attacker published axios@1.14.1. An hour later, axios@0.30.4 followed. Both versions looked identical to the real thing — except they included one new hidden dependency: plain-crypto-js@4.2.1.

That package had been staged 18 hours earlier specifically for this. Its only purpose was a postinstall script that ran automatically the moment npm installed it:

# This runs silently on npm install — no prompt, no warning
node setup.js

That script was a cross-platform RAT dropper targeting macOS, Windows, and Linux with separate, platform-specific payloads. On Windows it established persistence via a registry Run key. On Linux it skipped persistence entirely — Linux targets in dev environments are mostly ephemeral CI/CD runners where the value is in the secrets accessible during the build, not in persistence.

The entire attack window was 3 hours and 8 minutes. Google's Threat Intelligence Group attributed it to UNC1069, a North Korea-nexus actor, based on the payload being an updated version of the WAVESHAPER backdoor previously used by this group.

This was not opportunistic. The payload was staged 18 hours in advance. Three OS-specific RATs pre-built. Both latest and legacy release channels hit within 39 minutes. Anti-forensic self-deletion after execution.

Where They Collide

Claude Code depends on axios.

If you ran npm install or updated Claude Code between 00:21 and 03:29 UTC on March 31, you may have pulled a North Korean RAT alongside your AI coding assistant.

Same ecosystem. Same day. Different actors. Same victim pool.

What the Leak Actually Exposed

The leaked source is Claude Code's agentic harness — not the AI model itself, but the orchestration layer that wraps it and makes it useful. This is where the real engineering lives.

What researchers found inside:

• KAIROS — An always-on daemon mode. Claude Code running as a background agent while you're idle, consolidating memory and continuing work. Not yet shipped.

• autoDream — A memory consolidation system that runs during idle periods, merging observations into structured facts.

• Undercover Mode — A feature for making stealth contributions to open-source repositories without revealing the AI's involvement. The existence of this alone will generate weeks of debate.

• 44 feature flags — Fully built capabilities sitting behind compile-time flags set to false in production.

• Anti-distillation logic — Fake tool injections designed to prevent third parties from distilling Claude's behavior through API access.

The Third Attack Nobody Noticed

While the axios RAT was making headlines, a quieter attack was already in motion.

Security researcher Clément Dumas (@Butanium_) posted a warning the same afternoon:

"Supply chain attack in progress: someone is squatting Anthropic-internal npm package names targeting people trying to compile the leaked Claude Code source. color-diff-napi and modifiers-napi — both registered today, same person, disposable email. Do NOT install them."

Both packages were published by a user named pacifier136. At the time of the warning they were empty stubs — module.exports = {}. Nothing malicious yet.

That's the point. As Dumas explained:

"Right now they're empty stubs, but that's how these attacks work — squat the name, wait for downloads, then push a malicious update that hits everyone who installed it."

This is a classic dependency confusion attack — but triggered directly by the leak.

The mechanism:

1. The leaked source contains require("color-diff-napi")

1. Developer clones the repo and runs npm install

1. npm can't find it on any private registry

1. npm falls back to the public registry

1. pacifier136's package gets installed silently

1. Next update pushes the payload — to everyone who already has it

The axios attack was a nation-state operation hitting 100 million downloads. This was smaller and surgical — aimed at a very specific group. The developers most likely to clone and compile leaked AI tooling are exactly the developers you want access to.

Same day. Same ecosystem. Three separate attack vectors.

Context: The Harness War

The leak landed in a landscape where the harness — not the model — is increasingly the competitive battleground.

OpenCode, the open-source alternative built by the SST/Anomaly team, now sits at 112K GitHub stars versus Claude Code's 71K, with 2.5 million monthly active developers and support for 75+ LLM providers. By community metrics, it is growing faster.

The irony is hard to ignore. In January 2026, Anthropic blocked OpenCode from using Claude via consumer OAuth tokens, citing unauthorized API access. The developer backlash was immediate. OpenCode responded by building its own API gateway. OpenAI publicly welcomed third-party tools as counter-positioning, calling out Anthropic by name.

Two months after that decision, Anthropic shipped Claude Code's own internal architecture to 41,000 forks.

The companies competing hardest to build harness infrastructure around AI models now have Anthropic's blueprint for how to do it.

What's Happening Now

• Malicious axios versions removed from npm

• C2 infrastructure offline

• Claude Code npm package pulled and re-released without source map

• Anthropic recommending its native installer over npm going forward

• DMCA takedowns actively hitting GitHub mirrors

grep -E "axios.*(1\.14\.1|0\.30\.4)" package-lock.json
grep "plain-crypto-js" package-lock.json

If either appears: downgrade to axios@1.14.0, delete node_modules/plain-crypto-js, and rotate every credential on that machine. API keys, cloud tokens, SSH keys — all of them. Assume exfiltration happened.

The Bigger Shift

We are moving from:

• "Don't install random packages" → "The packages you always trusted may be the ones that get you"

• "Keep your code private" → "A single build config mistake publishes your architecture to 40,000 forks"

• "Leaks are about IP loss" → "Leaks expose your dependency graph and attackers weaponize it immediately"

An Open Question

Three things happened on March 31, 2026. A build config mistake. A nation-state RAT. A dependency squatter ready and waiting.

Nobody coordinated them. They just converged on the same ecosystem, the same tooling, and the same developers on the same day.

That's the part worth sitting with.

If three independent attack vectors — human error, state-level operation, and opportunistic squatting — can overlap like this with no coordination, what does that say about how exposed the AI development toolchain actually is?

The original thesis of this blog was that these two incidents were connected. Turns out it was three. And the connection isn't a conspiracy — it's just that the attack surface of modern development is large enough that multiple actors, with completely different motivations, found their way to the same door on the same afternoon.

Is the problem solvable with better npm hygiene, stricter build pipelines, and dependency scanning? Or are we at a point where the trust model underpinning the entire JavaScript ecosystem is structurally broken in ways today's tools can't patch?

I don't think we have a clean answer. But March 31 made it a lot harder to pretend the question isn't urgent.

If you updated Claude Code via npm on March 31, 2026 between 00:21–03:29 UTC: check your lockfile and rotate credentials immediately.