Claude Code trojan found in NPM
Supply chain security company Safety has discovered a trojan masquerading as Anthropic’s popular Claude Code AI software development assistant.
Anthropic describes Claude Code is an agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster.
Claude Code executes routine tasks, explains complex code, and handles Git workflows through natural language commands. Git is the tool most programmers use for version control.
Developers MyBroadband spoke to in South Africa reported positive experiences with Claude Code, saying it allows them to work much faster than before.
Considering Claude Code’s utility and popularity, it should not come as a surprise that attackers attempted a supply chain attack against the tool.
Safety said in a recent blog post that its research team’s automated malicious package detection engine identified a new malicious NPM package called @chatgptclaude_club/claude-code on Monday, 27 October.
NPM is the default package manager for Node.js, the widely used open source JavaScript runtime environment, which GitHub acquired in March 2020. Microsoft has owned GitHub since October 2018.
The malicious package was originally published in August, and 19 versions of it have been released to date. At the time of the report, it had been downloaded 207 times.
By the time of publication, NPM had removed the malicious package and replaced it with a security holding package. It had been downloaded 435 times.
“This package deploys a sophisticated payload that targets Claude Code installations, either locally on a developer’s computer or in a continuous integration pipeline,” explained Paul McCarty, the Head of Research at Safety.
“The intent is to steal Anthropic credentials, but more worryingly, the malware includes a bidirectional command and control server.”
McCarty said their initial analysis led them to believe the package is meant to proxy Claude commands and sensitive data back to the threat actor.
At the same time, it allows the attacker to utilise someone else’s Claude to run their own commands. Claude bills for each token its models process, making this potentially lucrative.
NPM’s lack of metadata validation
“The malicious package is based on the legitimate @anthropic-ai/claude-code. The Anthropic package is one of the most popular NPM packages and averages over five million downloads per week,” said McCarty.
“If you compare the two package contents directories side by side, you can see that the malicious package has the real Claude Code package contents, but with three extra files.”
Simply put, the malware is designed to evade detection by a developer whose machine or CI pipeline has been infected by behaving like the real Claude Code.
“This is made possible by the fact that NPM, still after all these years, doesn’t validate what users add to their package metadata,” said McCarty.
“Because of this lack of validation, threat actors can use the real GitHub repositories in their malicious packages, which adds legitimacy.”
Many NPM users think that the GitHub Repository data in the upper right corner of the package page is validation from the platform, but McCarty said that, unfortunately, that was not the case.
However, in the background, the three extra files in the package intercept traffic to Anthropic to exfiltrate all user prompts, conversations, authentication data, and billing and usage data.
McCarty said there were a handful of indicators developers or their defenders could look for to see if they had been compromised.
These include checking whether they were using the @chatgptclaude_club/claude-code package, or the legitimate one from Anthropic.
Developers and security professionals could also monitor network traffic for the command and control server’s URL, disclosed in McCarty’s blog post, and check if a ~/.chatclub/ directory had been created.
Loading ...