Axios npm Account Hijack: RAT via Phantom Dependency and Claude Code Leak
On March 31, 2026, attackers hijacked the npm account of the Axios maintainer (jasonsaayman), publishing malicious versions 1.14.1 (latest) and 0.30.4 (legacy). The packages distributed a RAT trojan for three hours—from 00:21 to 03:15 UTC. With 100 million weekly downloads, the potential damage was massive.
The Axios code itself remained untouched. The attackers added a dependency on [email protected] to package.json—a package created a day before the attack. This dependency is not imported in the code, acting as a phantom dependency.
Attack Mechanism
The installation proceeds as follows:
npm installdownloads all dependencies frompackage.json.plain-crypto-jsexecutes apostinstallscript.- The script downloads a payload from a C2 server.
- A cross-platform RAT for macOS, Windows, and Linux is deployed.
- The script restores a clean
package.json, masking traces.
Standard code review won't detect the issue: the JS files are clean, and the suspicious dependency is only visible in the manifest. Scanners must check postinstall scripts of transitive packages.
Immediate Actions
| Branch | Malicious Version | Safe Version |
|--------|-------------------|--------------|
| latest | 1.14.1 | 1.14.0 |
| legacy | 0.30.4 | 0.30.3 |
Check:
package-lock.json/yarn.lockfor malicious versions.- Presence of
plain-crypto-jsin dependencies.
If found—the system is infected. Rotate keys, tokens, and secrets. IOCs have been published by StepSecurity, Socket, and others.
Attributed to UNC1069/Lazarus—a typical supply-chain attack via account hijacking without compromising the npm registry.
Claude Code Source Leak via Sourcemap
On the same day, Anthropic published @anthropic-ai/[email protected] with a 59.8 MB cli.js.map file. The sourcemap revealed ~512,000 lines of TypeScript, 1,900 files, system prompts, memory logic, planning, and unannounced features.
Cause and Consequences
An error in .npmignore: source maps were not excluded from the package. The sourcemap referenced a public R2 bucket from Anthropic. The code was quickly mirrored on GitHub after a report by Chaofan Shou.
Anthropic deleted the version and released a patch, but mirrors spread. This was not a hack but a build error.
Clean-Room Implementation: From Leak to Open Project
Sigrid Jean (instructkr) rewrote the Claude Code architecture in Python without copying the source code, avoiding DMCA. Used oh-my-codex for acceleration.
Implemented:
- Agent harness.
- Tools.
- Memory and planning.
- Swarms sub-agents.
The claw-code repository gained 50,000 stars in 2 hours, 100,000+ in a day—a GitHub record. A Rust port is also popular. The project is positioned as improved harness tools.
Key Takeaways
- Phantom dependency in Axios: RAT masquerades as a crypto library, activated via postinstall, cross-platform.
- Claude Code leak: 512k lines via sourcemap due to missing .npmignore.
- Clean-room approach: Rewriting architecture in Python/Rust bypasses DMCA, creates an open alternative.
- Lock file checks: Essential to detect 1.14.1/0.30.4 and plain-crypto-js.
- npm account audits: Maintainer hijacking is a vector for supply-chain attacks.
— Editorial Team
No comments yet.