Malware Campaigns Exploit Claude Code Leak: Typosquat npm Packages Active

TL;DR: The Claude Code source leak is now actively exploited in the wild. Beyond the fake GitHub repos we covered earlier, attackers are publishing typosquat npm packages — empty stubs with names like audio-capture-napi and color-diff-napi — waiting to swap in malicious code. If you installed Claude Code via npm during the vulnerable window (March 31, 00:21–03:29 UTC), you're already in the blast radius of the axios supply chain attack. Here's what to check and what to do.

🎯 Typosquat npm Packages: The Patience Play

Security researchers spotted a new campaign on npm: a user operating under the handle "pacifier136" has published packages with names that closely mimic common dependencies:

• audio-capture-napi
• color-diff-napi
• image-processor-napi
• modifiers-napi
• url-handler-napi

Right now, these packages are empty stubs — no malicious code yet. That's by design. This is the classic typosquat + dependency confusion pattern: squat on names developers are likely to typo, publish empty versions first to establish a footprint, then push a malicious update once adoption looks good. The wait-and-push approach also evades npm's initial automated scanning, since the malicious payload comes in a later version bump.

The packages are targeting developers experimenting with the leaked Claude Code source — either trying to rebuild it or integrate components. Anyone cloning a "leaked Claude Code" fork and running npm install could pull one of these as a dependency.

☠️ The Axios Supply Chain Attack: Still Active Risk

The most immediate danger isn't new — it's the axios hijack that ran concurrently with the source leak on March 31. Between 00:21 and 03:29 UTC, attackers published trojanized versions of axios (1.14.1 and 0.30.4) containing a Remote Access Trojan via the plain-crypto-js malicious dependency.

Claude Code uses axios. If you ran npm install -g @anthropic-ai/claude-code or updated during that window, you may have pulled the backdoored version.

What to do right now:

1. npm ls axios — check if you're on 1.14.1 or 0.30.4. If so, npm install axios@latest to get a clean version.
2. Check node_modules/plain-crypto-js — if it exists, you were hit.
3. Rotate your Anthropic API key and any credentials accessible from that environment.
4. Update to Claude Code v2.1.92 (npm install -g @anthropic-ai/claude-code@latest) to get the latest fixes.

🔐 What Zscaler ThreatLabz Found

Zscaler's threat intelligence team has been tracking the overall campaign infrastructure. Beyond the typosquat packages, the fake "leaked Claude Code" GitHub repos (user "idbzoomh") are still live in various forms — the operator updates the payloads frequently, suggesting active maintenance. A second GitHub repo with identical content was found experimenting with a ZIP delivery variant, indicating the threat actor is testing multiple delivery vectors.

The bottom line: there is no safe "fork" of the leaked Claude Code source. Anything claiming to be one is either malware, a typosquat launcher, or both. The only safe source is the official npm package.

📋 Summary: Your Action List

• ✅ Update Claude Code: npm install -g @anthropic-ai/claude-code@latest
• ✅ Audit axios: npm ls axios — downgrade to latest if on 1.14.1 or 0.30.4
• ✅ Rotate API keys if you installed during March 31 00:21–03:29 UTC
• ❌ Do not download "leaked Claude Code" from GitHub
• ❌ Do not install npm packages from untrusted sources claiming to be Claude Code related

Sources: HelpNetSecurity · Zscaler ThreatLabz

📬 This is The LGTM — your daily digest of what matters in AI-assisted coding. Subscribe to get it in your inbox.