If You Installed Claude Code on March 31, Check Your System Right Now
axios npm packages v1.14.1 and v0.30.4, bundled in the Claude Code npm release, were confirmed to contain a Remote Access Trojan (RAT). The compromised versions were live on npm on March 31, 2026 between 00:21 and 03:29
Anthropic's Claude Code npm package briefly shipped with a Remote Access Trojan -- and if you updated during a specific three-hour window, your machine may be compromised.
TL;DR: axios npm packages v1.14.1 and v0.30.4, bundled in the Claude Code npm release, were confirmed to contain a Remote Access Trojan (RAT). The compromised versions were live on npm on March 31, 2026 between 00:21 and 03:29 UTC. If you installed or updated Claude Code during that window, treat your system as potentially compromised until you've verified.
What Happened?
On March 31, Anthropic accidentally published an npm package for Claude Code that included axios versions containing a RAT -- a tool that gives an attacker remote access to your computer. The window was narrow: three hours and eight minutes, from 00:21 to 03:29 UTC. Anthropic confirmed the incident was a human error and stated no customer data was involved in the broader Claude Code source leak. Two separate intelligence sources independently flagged the compromise.
Here's the thing. Three hours doesn't sound like much. But npm install commands run on autopilot for a lot of developers -- and anyone using automated dependency updates or CI/CD pipelines during that window may have pulled in the compromised package without ever seeing it.
What Should You Do Right Now?
This isn't a "stay informed" situation. If you use Claude Code, here's what I want you to do:
- Check your install timing. Review your npm install logs for any Claude Code activity on March 31, 2026. If the timestamp falls between 00:21 and 03:29 UTC, proceed to step 2.
- Audit for anomalous processes. A RAT opens a backdoor. Look for unfamiliar processes, unexpected network connections, or new services you didn't install.
- Update to the clean version. Reinstall Claude Code from npm now -- the compromised axios packages have been removed.
- If you find anything suspicious, assume compromise. Rotate credentials, revoke API keys, and treat the machine as untrusted until you've done a full audit.