Three attack streams. One three-hour window. The same target: developers.

00:21 UTC — March 31, 2026 Most of the engineering world was asleep. By the time it woke up, three separate attack streams had converged on the same ecosystem, in the same three-hour window, targeting the same people: developers. Not end users. Not executives. The people with shell access, cloud credentials, API keys, and the keys to production.

What followed wasn't a breach. Anthropic will tell you that. Nobody said it was a breach. That framing is exactly the problem.

The security and AI press covered these events as separate stories. They are not separate. Understanding March 31 requires holding all three in view simultaneously — because it is the convergence, not any individual incident, that reveals something structural about the trust model underpinning the modern developer toolchain.

March 31, 2026 — UTC event timeline
March 31 2026 attack timeline Three simultaneous attack streams on a UTC timeline. The Axios backdoor was live 00:21–03:29. Claude Code source was published in the same window and publicly discovered at 08:23. Trojanised Vidar repositories appeared within 24 hours of discovery. Stream 1 Stream 2 Stream 3 00:00 01:00 02:00 03:00 04:00 05:00 06:00 07:00 08:00 09:00 3-HOUR WINDOW UNC1069 — Axios WAVESHAPER.V2 backdoor live 00:21 03:29 v2.1.88 published with .map artefact Publicly discovered 08:23 Trojanised repos + Vidar pivot +24h UNC1069 / Axios (North Korea) Claude Code source leak Vidar / GhostSocks
Timestamps sourced from Google GTIG, Zscaler ThreatLabz, and Anthropic's public statement.
Incident One
01

The Claude Code Source Leak

npm packaging error — 512,000 lines of TypeScript

What happened

Anthropic accidentally shipped a 59.8 MB JavaScript source map file inside version 2.1.88 of @anthropic-ai/claude-code on the public npm registry.1 Source maps are debug artefacts — they map minified, bundled JavaScript back to the original TypeScript. When a build pipeline fails to exclude them from a production package, it ships the full pre-compilation source to anyone who installs the package.

That is what happened. Over 512,000 lines of unobfuscated TypeScript, across nearly 2,000 files, were sitting in plain sight on npm. A security researcher named Chaofan Shou found it at 4:23 AM ET and posted about it on X.1 Within hours, the codebase was mirrored across GitHub, forked tens of thousands of times, and had already been ported to Python and Rust by developers who understood that clean-room rewrites sidestep copyright claims.

"A release packaging issue caused by human error, not a security breach." — Anthropic spokesperson2

Boris Cherny, a Claude Code engineer at Anthropic, confirmed it was plain developer error — not a tooling bug.3 Which is worse, in some ways. Tooling bugs get fixed systematically. Developer error at this level points to a CI pipeline with no gate on package contents before publish.

What was inside

The leak exposed the complete client-side agent harness: the query engine handling LLM API calls and orchestration, the tools system for file reads and bash execution, multi-agent orchestration for spawning sub-agents, and the bidirectional communication layer connecting IDE extensions. It also exposed the internal model roadmap — internal codenames Capybara, Fennec, Numbat — and internal performance metrics showing a 29–30% false claims rate in the current Capybara v8, a regression from 16.7% in v4.4

The most operationally significant disclosure was the permission and execution model. Claude Code has deep shell access. It auto-executes hooks. It integrates with MCP servers. The full logic governing how those capabilities are gated is now public.

Pre-existing CVEs covering remote code execution and API key exfiltration via malicious repo configs, hooks, MCP servers, and environment variables are now dramatically easier to weaponise.5 With full source visibility, a threat actor can craft a malicious repository or project file that triggers arbitrary shell execution or credential theft the moment a developer clones or opens it.

There was also the Undercover Mode disclosure. A module called undercover.ts contains an explicit system prompt instructing Claude Code to never mention internal codenames or Anthropic-internal information when operating in public repositories:6

"You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover."

This raises a broader question about who you can trust in a repository — one worth its own article.

Why it matters

The model weights were not exposed. Claude's intelligence was never at risk. Anthropic is correct that this is not a breach in the traditional sense. What was exposed is the blueprint. Every competitor now has a free, detailed engineering education on how to build a production-grade AI coding agent. Every threat actor now has the permission model, the execution pathways, the hook architecture, and the feature flag logic.

The code is permanently in the wild. DMCA takedowns have been filed against over 8,100 repositories.7 It does not matter. Mirrors are on IPFS. Clean-room rewrites exist in Python and Rust.3 The legal basis for copyright claims on AI-generated code is itself contested. The source is public. That condition is permanent.

Incident Two
02

The Axios npm Supply Chain Attack

North Korea — UNC1069 — WAVESHAPER.V2 — same three-hour window

What happened

In the same three-hour window — 00:21 to 03:20 UTC — a North Korean threat actor compromised the npm account of the Axios package maintainer and published two backdoored versions: axios@1.14.1 and axios@0.30.4.8

Axios is the most popular JavaScript HTTP client library in existence. It has over 100 million weekly downloads. It is present in approximately 80% of cloud and code environments.9 Claude Code depends on it.

The malicious versions introduced a hidden dependency, plain-crypto-js, containing a post-install script. This script executed automatically during npm install and deployed WAVESHAPER.V2 — a cross-platform backdoor — across Windows, macOS, and Linux. No user interaction required. Install the package, get owned.

Google's Threat Intelligence Group formally attributed the attack to UNC1069, a North Korea-nexus threat actor active since at least 2018, previously tracked as CryptoCore and MASAN.8 The attribution rests on WAVESHAPER.V2 being a direct evolution of a backdoor previously attributed to UNC1069, and on C2 infrastructure overlaps with prior UNC1069 operations — including connections from a specific AstrillVPN node the group had used before.

How the maintainer was compromised

The Axios maintainer later published a post-mortem.10 The attack began with social engineering. The attackers presented themselves as the founder of a legitimate, well-known company. They had cloned the founder's likeness, cloned the company's digital presence, and built a real Slack workspace branded to the company's CI — complete with channels sharing LinkedIn posts to build credibility over time.

The eventual attack vector was a Microsoft Teams call. The bogus site displayed a technically plausible error message and prompted the maintainer to download a native app. When he refused, the attackers asked him to run a curl command in Terminal. That too failed. They erased all conversations and disappeared. But the damage was already done — his npm account had been compromised through earlier stages of the campaign.

This is not a story about a weak password or an unpatched system. This is a state-sponsored operation that spent weeks building a social engineering campaign tailored to one individual, specifically to gain publish access to a package with 100 million weekly downloads.

Why it matters

Any developer or automated CI pipeline that ran npm install in the exposure window may have installed a North Korean backdoor. That includes any team that had Claude Code in their pipeline. The overlap between the Claude Code leak audience and the Axios install base is not a coincidence of timing — it is the entire developer ecosystem.

WAVESHAPER.V2 communicates using JSON over a command-and-control infrastructure that uses dead drop resolvers to evade takedowns.11 It supports PE injection, arbitrary script execution, and remote command execution. Any system that installed the compromised versions should be treated as fully compromised, credentials rotated, and rebuilt from clean snapshots.

The broader pattern is also significant. UNC1069 isn't the only North Korea-nexus group currently targeting open-source package ecosystems. UNC6780 (TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with Trivy, Checkmarx, and LiteLLM in a separate campaign deploying the SANDCLOCK credential stealer.11 Multiple state-sponsored groups are systematically targeting the trust infrastructure of open-source development — not as one-off operations, but as a sustained, coordinated strategy.

Incident Three
03

The Vidar and GhostSocks Campaign

Industrialised criminal infrastructure — deployed within 24 hours

What happened

Within 24 hours of the Claude Code leak, a threat actor created fake GitHub repositories impersonating the leaked source. These repositories promised an "unlocked enterprise version with no usage limits."5 The downloadable archive — named Claude Code - Leaked Source Code (.7z) — contained ClaudeCode_x64.exe, a Rust-compiled dropper.

On execution, it deployed two payloads: Vidar v18.7, an information stealer, and GhostSocks, a SOCKS5 proxy tool. The repository appeared near the top of Google search results for "leaked Claude Code."12

What these payloads do

Vidar v18.7 performs multi-threaded theft of browser credentials, cryptocurrency wallets, session tokens, and system information. It uses a Steam Community profile and a Telegram channel as dead drop resolvers for its C2 address, making infrastructure takedown significantly harder.13

GhostSocks does something less immediately obvious but arguably more consequential. It turns the infected machine into a node in a SOCKS5 proxy network. The victim's developer workstation becomes part of the attackers' anonymisation infrastructure. Their traffic routes through your machine. Your IP becomes their cover identity. This is not just credential theft — it is conscription.

The pre-existing campaign

The Claude Code lure was not a new operation. It was a slot in an existing, industrialised campaign. Trend Micro's analysis found that the same Rust-compiled dropper had been deployed across at least 38 distinct branded archives covering more than 25 software brands since at least February 2026.13 The payload never changes. The branding rotates.

This is what industrialised cybercrime looks like. The infrastructure was already running. The malware was already built. The distribution channel was already established. A high-profile leak created a social engineering opportunity, and the operation exploited it within 24 hours.

The Full Picture

The Convergence: What March 31 Actually Was

Three streams. One window. Same target.

A state-sponsored North Korean operation — months in preparation — deployed a backdoor through the most downloaded JavaScript library in the world, targeting developer infrastructure.

Anthropic shipped 512,000 lines of source code documenting the permission model, execution architecture, and feature flags of an AI agent with deep shell access on developer machines.

An industrialised criminal campaign, already running since February, pivoted its lure infrastructure onto the leaked source within hours and began delivering credential stealers and proxy malware.

Any developer who updated Claude Code via npm during the 00:21–03:29 UTC window was potentially exposed to all three simultaneously. They may have installed the Axios backdoor as a transitive dependency. They may have cloned a trojanised repository in the hours that followed.

The developer machine is not the edge of the attack surface. It is the centre of it. It has source code access. It has cloud credentials. It has API keys. It has production database access. A compromised developer workstation provides the same level of access as a compromised production server — sometimes more, because it sits inside the security perimeter by design.

Threat Assessment

What This Has Enabled

With the developer machine established as the primary target, it is worth being specific — not alarmist, specific — about what the permanently public source hands to different categories of adversary.

Opportunistic attackers

The reverse engineering barrier is gone. Claude Code's execution model — how it gates shell access, how it handles MCP server responses, how hooks are registered and triggered — was previously protected by obfuscation. That cost is now zero. Crafting a malicious repository that triggers arbitrary shell execution when a developer opens it no longer requires disassembly or fuzzing. It requires reading tools/bash.ts. CVE-2025-59536 and CVE-2026-21852 just became significantly easier to weaponise at scale.

Criminal operations

The social engineering surface expanded. Phishing a Claude Code user used to require generic pretexts. Now an attacker can reference real internal architecture — actual feature flags, real codenames, documented limitations, specific error conditions from the source — to construct support impersonations or spear-phishing that reads as genuinely informed. The Vidar campaign that deployed within 24 hours was blunt-force opportunism. What follows will be more precise.

State actors

The blueprint value is asymmetric. The model weights were not exposed, so Claude itself cannot be replicated. But the engineering decisions around context entropy, self-healing memory, multi-agent orchestration, and the KAIROS daemon architecture represent months of applied research. That knowledge — how Anthropic solved the specific failure modes of agentic AI at production scale — is now free. For any state programme building domestic AI infrastructure, the value is in compressing their own R&D timeline by studying how a frontier lab solved the hard problems.

KAIROS — the daemon threat

This deserves its own line. KAIROS is a persistent background daemon — always on, operating without waiting for user input, with shell access, capable of sending push notifications. Its complete implementation is now documented. Prompt injection against an always-on agent that can execute shell commands is a materially different threat than prompt injection against a chatbot. The full architecture being public makes that attack surface mappable in an afternoon.

Response

What Changes Now

If you updated Claude Code via npm between 00:21 and 03:29 UTC on March 31

The system is compromised until proven otherwise. Rotate all credentials — not just those you think were exposed, all of them. Check for node_modules/plain-crypto-js/ but don't be reassured by its absence — the malicious packages were designed so that post-infection inspection of the manifest looks clean. Rebuild from a verified clean snapshot. The three hours the backdoor was live were enough.

Stop treating the developer machine as a trusted environment

It has source code access, cloud credentials, API keys, and in most organisations, a direct path to production. If you wouldn't run unknown binaries with those privileges on a production server, you should not be running them on the machine that has equivalent access. AI coding agents with shell access and auto-executing hooks are not developer utilities. They are privileged infrastructure. Classify and monitor them accordingly — outbound traffic monitoring, endpoint detection, no ambient production credentials in the local environment.

The dependency pinning conversation is overdue

Lock file discipline and pinned versions would not have stopped teams that updated in the three-hour window, but it closes the blast radius of every similar attack. Know exactly what version of every package you are running. Know the moment it changes. Automated tooling that silently updates dependencies to "latest" is not a convenience feature in the current threat environment. It is an attack surface.

Run Claude Code in a constrained environment — and be specific about what that means

At minimum: no ambient cloud credentials in the shell profile, secrets accessed via a vault or short-lived token rather than environment variables that persist across sessions, and Claude Code running in a directory-scoped context rather than with access to the full home directory. The practical version most teams can implement today is three steps: remove AWS/GCP/Azure credentials from your shell profile, use a secrets manager for anything sensitive, and scope Claude Code's working directory to the project rather than your home. That does not eliminate the attack surface. It makes silent credential exfiltration substantially harder.

Ask your AI tooling vendors one question

What gates exist on package contents before publish? Not "do you have a security team." Not "are you SOC 2 compliant." What specifically prevents a debug artefact from shipping in a production release? If they cannot answer that precisely, they have not formalised the process — which means it depends on individuals not making mistakes. March 31 is what that looks like when someone does.

Supply chain attack escalation — February to April 2026
Relative severity: Feb wk1–4 low baseline 1–3; Mar wk1–2 rising 3–7; Mar wk3 spike to 8 (TeamPCP); Mar 31 peak at 18 (convergence); Apr wk1–2 partial data 9–14.
State-actor activity
IP / source exposure
Criminal campaign activity
March 31 convergence
On the April drop-off. The lower figures after March 31 reflect confirmed, publicly reported incidents — not actual threat level. Attribution lag is real: the Axios backdoor's post-compromise activity, the ongoing Vidar lure campaign, and whatever UNC1069 did with credentials harvested in the three-hour window take weeks or months to surface in threat intelligence reports. The attacks did not stop. Our visibility did. The threat floor did not return to its pre-March 31 baseline. The source code is permanently public. That condition does not reverse.
Severity index is relative and qualitative, derived from confirmed public disclosures. Sources: Google GTIG, Zscaler ThreatLabz, Trend Micro, Tenable, Help Net Security.

The Bigger Picture

March 31, 2026 was not a bad day caused by one company's mistake. It was a proof of concept.

The developer toolchain is the upstream trust boundary for everything. It sits above source code, above production infrastructure, above the security perimeter. Whoever controls what executes on developer machines, or what installs silently as a dependency, has access to everything downstream.

State actors understand this. They have been targeting open-source maintainers systematically — not because it is easy, but because the return on investment is extraordinary. One compromised maintainer account, held for three hours, reached 3% of the Axios userbase across 80% of cloud and code environments globally. The arithmetic is compelling.

AI coding agents with shell access, persistent daemon modes, deep IDE integration, and auto-executing hooks are the most privileged software currently being deployed at scale on developer machines. They are also the newest, the least audited, and the most dependent on trust in their distribution infrastructure.

The weaponisation window is not a metaphor. It is a specific three-hour window that opened at 00:21 UTC on March 31, 2026. The backdoors deployed in that window are still active on systems that installed them. The source code exposed that morning is permanently public. The criminal infrastructure that pivoted onto the leak within 24 hours is still running, rotating lures, waiting for the next high-profile incident.

March 31 was not an anomaly. It was a demonstration of what the current threat environment looks like when several things go wrong at once. They will go wrong again.

References

  1. VentureBeat, "Claude Code's source code appears to have leaked: here's what we know." April 2026. venturebeat.com
  2. Axios, "Anthropic leaked source code for its Claude Code CLI tool." March 31, 2026. axios.com
  3. Engineers Codex, "Diving into Claude Code's Source Code Leak." April 2026. read.engineerscodex.com
  4. VentureBeat, "Claude Code's source code appears to have leaked: here's what we know" — Capybara internal metrics and model roadmap. April 2026. venturebeat.com
  5. Zscaler ThreatLabz, "Anthropic Claude Code Leak." April 2026. zscaler.com
  6. The Hacker News, "Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms." April 2026. thehackernews.com
  7. Cyber Unit, "The Claude Code Source Code Leak: What Businesses Using AI Coding Tools Need to Know." April 2026. cyberunit.com
  8. Google Cloud Blog — Google Threat Intelligence Group, "North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack." March 31, 2026. cloud.google.com
  9. SecurityWeek, "Axios NPM Package Breached in North Korean Supply Chain Attack." April 2026. securityweek.com
  10. The Hacker News, "UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack." April 2026. thehackernews.com
  11. Tenable Research Special Operations, "Frequently Asked Questions About the Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069." April 2026. tenable.com
  12. Help Net Security, "Claude Code source leak exploited to spread malware." April 2026. helpnetsecurity.com
  13. Trend Micro, "Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads." April 2026. trendmicro.com