A Leaked npm Package Turned Into a RAT Backdoor in Three Hours
A leaked Claude Code npm package exposed source code, then shipped trojanized axios versions—showing how fast an AI tool can become supply-chain risk.
Anthropic's Claude Code source leak wasn't just embarrassing — it opened a window for someone to slip a Remote Access Trojan into the supply chain. And that window was open for three hours on March 31.
TL;DR: The same Claude Code npm package that exposed 512,000 lines of Anthropic source code also shipped axios versions (v1.14.1 and v0.30.4) confirmed to contain a Remote Access Trojan. The compromised packages were live on npm from 00:21 to 03:29 UTC on March 31, 2026. Two independent sources flagged the compromise. Anyone who installed or updated Claude Code during that window should treat their system as potentially compromised.
How a Source Leak Becomes a Supply Chain Attack
Here's the thing. When Anthropic's npm package accidentally exposed its full Claude Code source — the same leak that revealed "Undercover Mode" and 44 hidden feature flags — the story everyone focused on was the code itself. What the code said about how Anthropic builds AI tools. Fair enough.
But the security consequence landed three days later. axios packages bundled inside that Claude Code release were confirmed to contain a RAT — a tool that gives an attacker remote control of your machine. Not theoretical. Not a proof-of-concept. A confirmed Remote Access Trojan sitting inside a dependency that developers install without thinking twice.
The window was narrow: three hours and eight minutes. But npm installs run on autopilot. CI/CD pipelines pull dependencies in the middle of the night. Automated updates don't ask permission — they just execute. Three hours is more than enough.
Why This Matters Beyond Claude Code
This isn't just an Anthropic story. It's a supply chain story. The pattern is: a source leak creates a known dependency tree. An attacker maps that tree, identifies a high-trust package (axios — one of the most downloaded npm packages in existence), and compromises it during a window when attention is elsewhere.
Now think about that pattern applied to any AI tool you install via npm, pip, or any package manager. The tool you trust inherits the trust profile of every dependency it pulls in. And you never see those dependencies install.
What You Should Do
If you use Claude Code, check whether you installed or updated via npm on March 31, 2026 between 00:21 and 03:29 UTC. If yes — audit for unfamiliar processes, rotate credentials, and update to the current clean version. Full action steps are in the companion advisory.
If you don't use Claude Code, the lesson still applies: every AI tool you install carries its dependency chain with it. Know what you're pulling in.
Key Takeaways
- Anthropic's Claude Code npm leak exposed source code — and also shipped axios packages containing a confirmed Remote Access Trojan.
- The compromised axios versions (v1.14.1 and v0.30.4) were live on npm for 3 hours on March 31, 2026 (00:21–03:29 UTC).
- Automated dependency pipelines and CI/CD systems are the highest-risk vector — installs during that window may have executed without human review.
- The attack pattern — source leak → dependency mapping → supply chain compromise — applies to any AI tool installed via package managers, not just Claude Code.
- Anthropic confirmed the incident and removed the affected packages. No customer data exposure reported.