Back to Home

RAT in Axios npm: phantom dependency and Claude Code leak

On March 31, 2026, attacks on npm were recorded: RAT in Axios via phantom dependency and Claude Code source leak. Breakdown of mechanics, checks, and clean-room architecture rewrite.

Trojan in Axios and 500k lines of Claude Code: npm attack breakdown
Advertisement 728x90

Axios npm Account Hijack: RAT via Phantom Dependency and Claude Code Leak

On March 31, 2026, attackers hijacked the npm account of the Axios maintainer (jasonsaayman), publishing malicious versions 1.14.1 (latest) and 0.30.4 (legacy). The packages distributed a RAT trojan for three hours—from 00:21 to 03:15 UTC. With 100 million weekly downloads, the potential damage was massive.

The Axios code itself remained untouched. The attackers added a dependency on [email protected] to package.json—a package created a day before the attack. This dependency is not imported in the code, acting as a phantom dependency.

Attack Mechanism

The installation proceeds as follows:

Google AdInline article slot
  • npm install downloads all dependencies from package.json.
  • plain-crypto-js executes a postinstall script.
  • The script downloads a payload from a C2 server.
  • A cross-platform RAT for macOS, Windows, and Linux is deployed.
  • The script restores a clean package.json, masking traces.

Standard code review won't detect the issue: the JS files are clean, and the suspicious dependency is only visible in the manifest. Scanners must check postinstall scripts of transitive packages.

Immediate Actions

| Branch | Malicious Version | Safe Version |

|--------|-------------------|--------------|

Google AdInline article slot

| latest | 1.14.1 | 1.14.0 |

| legacy | 0.30.4 | 0.30.3 |

Check:

Google AdInline article slot
  • package-lock.json / yarn.lock for malicious versions.
  • Presence of plain-crypto-js in dependencies.

If found—the system is infected. Rotate keys, tokens, and secrets. IOCs have been published by StepSecurity, Socket, and others.

Attributed to UNC1069/Lazarus—a typical supply-chain attack via account hijacking without compromising the npm registry.

Claude Code Source Leak via Sourcemap

On the same day, Anthropic published @anthropic-ai/[email protected] with a 59.8 MB cli.js.map file. The sourcemap revealed ~512,000 lines of TypeScript, 1,900 files, system prompts, memory logic, planning, and unannounced features.

Cause and Consequences

An error in .npmignore: source maps were not excluded from the package. The sourcemap referenced a public R2 bucket from Anthropic. The code was quickly mirrored on GitHub after a report by Chaofan Shou.

Anthropic deleted the version and released a patch, but mirrors spread. This was not a hack but a build error.

Clean-Room Implementation: From Leak to Open Project

Sigrid Jean (instructkr) rewrote the Claude Code architecture in Python without copying the source code, avoiding DMCA. Used oh-my-codex for acceleration.

Implemented:

  • Agent harness.
  • Tools.
  • Memory and planning.
  • Swarms sub-agents.

The claw-code repository gained 50,000 stars in 2 hours, 100,000+ in a day—a GitHub record. A Rust port is also popular. The project is positioned as improved harness tools.

Key Takeaways

  • Phantom dependency in Axios: RAT masquerades as a crypto library, activated via postinstall, cross-platform.
  • Claude Code leak: 512k lines via sourcemap due to missing .npmignore.
  • Clean-room approach: Rewriting architecture in Python/Rust bypasses DMCA, creates an open alternative.
  • Lock file checks: Essential to detect 1.14.1/0.30.4 and plain-crypto-js.
  • npm account audits: Maintainer hijacking is a vector for supply-chain attacks.

— Editorial Team

Advertisement 728x90

Read Next