NPM is the default package manager for Node.js, the widely used open source JavaScript runtime environment, which GitHub acquired in March 2020. Microsoft has owned GitHub since October 2018.<\/p>\n\n\n\n
The malicious package was originally published in August, and 19 versions of it have been released to date. At the time of the report, it had been downloaded 207 times.<\/p>\n\n\n\n
By the time of publication, NPM had removed the malicious package and replaced it with a security holding package. It had been downloaded 435 times.<\/p>\n\n\n\n
\u201cThis package deploys a sophisticated payload that targets Claude Code installations, either locally on a developer’s computer or in a continuous integration pipeline,\u201d explained Paul McCarty, the Head of Research at Safety.<\/p>\n\n\n\n
\u201cThe intent is to steal Anthropic credentials, but more worryingly, the malware includes a bidirectional command and control server.\u201d<\/p>\n\n\n\n
McCarty said their initial analysis led them to believe the package is meant to proxy Claude commands and sensitive data back to the threat actor.<\/p>\n\n\n\n
At the same time, it allows the attacker to utilise someone else\u2019s Claude to run their own commands. Claude bills for each token its models process, making this potentially lucrative.<\/p>\n\n\n\n
NPM’s lack of metadata validation<\/h2>\n\n\n\n![\"\"](\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2025\/10\/Paul-McCarty-in-black-short-with-greenery-background.jpg\")
<\/figure>\n\n\n\n\u201cThe malicious package is based on the legitimate @anthropic-ai\/claude-code. The Anthropic package is one of the most popular NPM packages and averages over five million downloads per week,\u201d said McCarty.<\/p>\n\n\n\n
\u201cIf you compare the two package contents directories side by side, you can see that the malicious package has the real Claude Code package contents, but with three extra files.\u201d<\/p>\n\n\n\n
Simply put, the malware is designed to evade detection by a developer whose machine or CI pipeline has been infected by behaving like the real Claude Code.<\/p>\n\n\n\n
\u201cThis is made possible by the fact that NPM, still after all these years, doesn’t validate what users add to their package metadata,\u201d said McCarty.<\/p>\n\n\n\n
\u201cBecause of this lack of validation, threat actors can use the real GitHub repositories in their malicious packages, which adds legitimacy.\u201d<\/p>\n\n\n\n
Many NPM users think that the GitHub Repository data in the upper right corner of the package page is validation from the platform, but McCarty said that, unfortunately, that was not the case.<\/p>\n\n\n\n
However, in the background, the three extra files in the package intercept traffic to Anthropic to exfiltrate all user prompts, conversations, authentication data, and billing and usage data.<\/p>\n\n\n\n
McCarty said there were a handful of indicators developers or their defenders could look for to see if they had been compromised.<\/p>\n\n\n\n
These include checking whether they were using the @chatgptclaude_club\/claude-code package, or the legitimate one from Anthropic.<\/p>\n\n\n\n
Developers and security professionals could also monitor network traffic for the command and control server\u2019s URL, disclosed in McCarty\u2019s blog post, and check if a ~\/.chatclub\/ directory had been created.<\/p>\n","protected":false},"excerpt":{"rendered":"
Supply chain security company Safety has discovered a trojan in NPM that masqueraded as Anthropic’s popular Claude Code AI software development assistant.<\/p>\n","protected":false},"author":15,"featured_media":616210,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27,16],"tags":[97858,102027],"class_list":["post-616208","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-software","tag-claude","tag-claude-code"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/616208"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=616208"}],"version-history":[{"count":4,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/616208\/revisions"}],"predecessor-version":[{"id":616377,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/616208\/revisions\/616377"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/616210"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=616208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=616208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=616208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/figure>\n\n\n\n\u201cThe malicious package is based on the legitimate @anthropic-ai\/claude-code. The Anthropic package is one of the most popular NPM packages and averages over five million downloads per week,\u201d said McCarty.<\/p>\n\n\n\n
\u201cIf you compare the two package contents directories side by side, you can see that the malicious package has the real Claude Code package contents, but with three extra files.\u201d<\/p>\n\n\n\n
Simply put, the malware is designed to evade detection by a developer whose machine or CI pipeline has been infected by behaving like the real Claude Code.<\/p>\n\n\n\n
\u201cThis is made possible by the fact that NPM, still after all these years, doesn’t validate what users add to their package metadata,\u201d said McCarty.<\/p>\n\n\n\n
\u201cBecause of this lack of validation, threat actors can use the real GitHub repositories in their malicious packages, which adds legitimacy.\u201d<\/p>\n\n\n\n
Many NPM users think that the GitHub Repository data in the upper right corner of the package page is validation from the platform, but McCarty said that, unfortunately, that was not the case.<\/p>\n\n\n\n
However, in the background, the three extra files in the package intercept traffic to Anthropic to exfiltrate all user prompts, conversations, authentication data, and billing and usage data.<\/p>\n\n\n\n
McCarty said there were a handful of indicators developers or their defenders could look for to see if they had been compromised.<\/p>\n\n\n\n
These include checking whether they were using the @chatgptclaude_club\/claude-code package, or the legitimate one from Anthropic.<\/p>\n\n\n\n
Developers and security professionals could also monitor network traffic for the command and control server\u2019s URL, disclosed in McCarty\u2019s blog post, and check if a ~\/.chatclub\/ directory had been created.<\/p>\n","protected":false},"excerpt":{"rendered":"
Supply chain security company Safety has discovered a trojan in NPM that masqueraded as Anthropic’s popular Claude Code AI software development assistant.<\/p>\n","protected":false},"author":15,"featured_media":616210,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27,16],"tags":[97858,102027],"class_list":["post-616208","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-software","tag-claude","tag-claude-code"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/616208"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=616208"}],"version-history":[{"count":4,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/616208\/revisions"}],"predecessor-version":[{"id":616377,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/616208\/revisions\/616377"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/616210"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=616208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=616208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=616208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}