Anthropic accidentally exposed internal source code for its Claude Code AI coding tool after a debug file was mistakenly included in a public npm package update, Axios reported. The leak exposed roughly 500,000 lines of code across approximately 1,900 files, according to Fortune.
https://qz.com/anthropic-claudhttps://qz.com/anthropic-claude-code-leak-npm-errore-code-lehttps://qz.com/anthropic-claude-code-leak-npm-errorak-npm-error
Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. Anyone who regularly downloads packages from NPM should check the Koi post for a list of indicators that their system has been compromised through PhantomRaven. These indicators can be used in system scans to determine whether they’ve been targeted.
https://arstechnica.com/security/2025/10/npm-flooded-with-malicious-packages-downloaded-more-than-86000-times/
An ongoing attack is uploading hundreds of malicious packages to the open source node package manager (NPM) repository in an attempt to infect the devices of developers who rely on code libraries there, researchers said. The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency. The campaign, which was active at the time this post was going live on Ars, was reported by researchers from the security firm Phylum. The discovery comes on the heels of a similar campaign a few weeks ago targeting developers using forks of the Ethers.js library.
https://arstechnica.com/security/2024/11/javascript-developers-targeted-by-hundreds-of-malicious-code-libraries/