Hackers, Claude and One Human Error

If you have ever Googled "Claude Code" and clicked the first result, you may want to read this carefully.

CyberSamm

~3 min read · April 28, 2026 (Updated: April 28, 2026) · Free: Yes

Since February 2026, cybercriminals have been running a campaign impersonating Anthropic's Claude, one of the most popular AI tools among developers right now. They set up fake websites, fake GitHub repositories and fake download pages, all designed to look exactly like the real thing. But instead of Claude Code, you get malware.

The campaign got significantly worse on March 31, 2026, when Anthropic accidentally made things easier for the attackers.

The Leak on March 31

On that day, Anthropic accidentally published the full source code of Claude Code to the public npm registry. Version 2.1.88 of the tool shipped with a debug file that should never have been included, exposing over 512,000 lines of internal code across nearly 2,000 files. No user data was compromised, and Anthropic confirmed it was a packaging error caused by human error, not a security breach.

But the damage was done. Within 24 hours, threat actors had already pivoted to distributing malware disguised as the leaked Claude Code, using the story's visibility to lure in victims.

The Malware

The fake installers target both Windows and macOS users. Once downloaded, they deploy an infostealer called Amatera, which quietly harvests your saved passwords, browser cookies, session tokens, autofill data and cryptocurrency wallet information. With that data, an attacker can log into your cloud accounts, internal dashboards and administrator panels without ever needing your actual password. Some variants also install GhostSocks, a proxy malware that silently turns your device into a tool for routing criminal traffic.

The fake pages even ranked at the top of Google search results for "Claude Code" related searches. Most victims had no idea they were on the wrong site.

How Anthropic Responded

Anthropic pulled the compromised package from npm the same day it was discovered. In a statement to CNBC, the company said it was "rolling out measures to prevent this from happening again."

Beyond that, Anthropic took a proactive step to block a follow-on attack. Threat actors had already begun registering npm package names that matched Anthropic's internal Claude Code dependencies, planning to push malicious updates once developers started installing them. The five package names were: audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi and url-handler-napi. Anthropic reserved all five as placeholder packages, blocking attackers from weaponizing them.

However, Anthropic has been direct about one limitation. They have no control over the fake versions circulating on GitHub and through Google Ads. That fight is largely being led by third party security firms like Trend Micro, Zscaler and Malwarebytes.

Where to Get the Real Claude Code

This is the most important part of this article.

The only official way to install Claude Code is through npm using the command line. The exact command is: npm install -g @anthropic-ai/claude-code

There is no official binary download from a website. There is no official installer on GitHub from a third party. If you are downloading a .exe or .dmg file from a webpage claiming to be Claude Code, stop. That is not how the real tool is distributed. Going forward, Anthropic has also designated a Native Installer as its recommended installation method, a standalone binary that does not rely on the npm dependency chain at all. Details are available on Anthropic's official documentation at docs.anthropic.com.

What You Should Do Right Now

If you installed or updated Claude Code on March 31, 2026, between 12.21am and 3.29am UTC, check your system immediately. A separate supply chain attack on the Axios npm package happened during that same window, meaning some users may have unknowingly pulled a remote access trojan alongside their Claude Code update. Change your passwords, rotate your API keys and check for any unexpected outbound connections from your device.

For everyone else, the rule is simple. Only install Claude Code from Anthropic's official channels. If a GitHub repository is promising you "unlocked enterprise features" or "no usage limits" on a leaked version of Claude Code, it is malware. That promise is always the red flag.

Attackers are fast. They turned a packaging mistake into a live attack campaign in under 24 hours. The best thing you can do is make sure you are never the person who clicks the wrong link.

Sources: The Hacker News, Trend Micro, Zscaler ThreatLabz, Malwarebytes, SiliconANGLE, CNBC, SOCRadar

#claude-code #hacker #cybersecurity #human-error

< Go to the original