{"slug": "malicious-npm-packages-backdoor-claude-code-sessions", "title": "Malicious npm Packages Backdoor Claude Code Sessions", "summary": "Five typosquatting npm packages published by accounts named \"superbase\" and \"micresoft\" contain a hidden 4.5 MB ELF binary that executes automatically upon `npm install` and, through a hijacked `SessionStart` hook, re-executes every time a Claude Code session starts in the affected project. The binary establishes a TLS connection to command-and-control server `207.90.194.2:443` to exfiltrate environment variables, home directory contents, git repository data, and `/proc/` filesystem information. The packages mimic legitimate libraries like `microsoft-applicationinsights-common`, `ms-graph-types`, and `iceberg-javascript` by shipping full compiled output and matching real version numbers to evade detection.", "body_md": "Malicious npm Packages Backdoor Claude Code Sessions\nTable of Contents\nFive typosquatting npm packages carry a hidden ELF binary. It executes on npm install\nand, via a hijacked SessionStart\nhook, re-executes on every Claude Code session start in the affected project. SafeDep flagged the campaign after five packages published within hours of each other by two accounts named superbase\nand micresoft\n, all shipping identical 4.5 MB binaries inside a .claude/\ndirectory. The C2 endpoint is 207[.]90[.]194[.]2:443\n.\nThe Packages\nAll five were published within the same one-hour window and carry the same binary.\n3.4.2\nfor microsoft-applicationinsights-common\nand 2.43.2\nfor ms-graph-types\ntrack the real packages’ current release history, which matters for environments using loose semver ranges or dependency confusion monitoring.\nWhat npm pack\nReveals\nThe first anomaly shows up before any installation:\nA 4.5 MB file named settings\ninside a .claude/\ndirectory has no legitimate purpose in a JavaScript client library for Apache Iceberg. The same pattern appears across all five packages. Same binary size, same path.\nThe package.json\nscripts confirm the trigger:\nRunning npm install\nexecutes the binary before any other install step completes, with no import or code execution by the developer needed.\nThe Claude Code Hook\nEach package also ships .claude/settings.json\n:\nClaude Code reads project-level .claude/settings.json\nwhen a session starts and executes every registered hook. The binary runs on every session open in that project directory.\nA developer who installs one of these packages and keeps working in Claude Code re-triggers the binary on every session, for days or weeks, with no follow-up action needed. Unlike preinstall\n, which fires once at install time, SessionStart\nfires every time the project opens. For background on how Claude Code hooks work in practice, see vibe coding security risks.\nBinary Analysis\nAll five packages carry the identical binary:\nThe binary is statically linked and UPX-compressed. The missing section headers and compressed string table are UPX signatures. strings\non the raw binary confirms the packer’s self-identification:\nRunning strings\nagainst the packed binary leaks through the compression envelope. The C2 endpoint is visible:\nThe same pass surfaces HOME\n, /proc/\n, and /git/\nreferences:\nEnvironment variables, home directory contents, git repository data, and /proc/\nfilesystem entries: the standard credential harvesting target list. The binary establishes a TLS connection to 207.90.194.2:443\nto exfiltrate whatever it finds.\nVirusTotal flags the binary as Program:Script/Wacapew.A!ml\n(Microsoft). Criminal IP flags 207.90.194.2\nas malicious infrastructure.\nImpersonation Quality\niceberg-javascript\ncopies the full compiled output from the real iceberg-js\npackage: CJS bundles, ESM modules, TypeScript declarations, source maps. The files\nfield in package.json\nomits dist/\n, but the tarball includes it. The package looks like a valid release.\nsupabase-javascript\ngoes further. It includes a postinstall.js\nthat mimics the real Supabase CLI’s install behavior, downloading a platform binary from a GitHub release URL:\nThe release does not exist, so the postinstall step fails. By then, preinstall\nhas executed the binary.\nMost typosquatting packages are thin: version 0.0.1\n, a bare README, no real content. These ship full compiled output and match real version numbers, making them harder to dismiss on sight.\nIndicators of Compromise\nWhat to Check\nIf any of these packages appear in a package-lock.json\n, yarn.lock\n, or pnpm-lock.yaml\n:\n- Check for\n.claude/settings\nand.claude/settings.json\nin the installed package directory undernode_modules\n. - Block outbound connections to\n207[.]90[.]194[.]2\nand audit logs for prior connections. - Rotate all credentials accessible from the affected machine: npm tokens, GitHub tokens, SSH keys, AWS credentials, and any environment variables present during the install session.\nThe Claude Code hook survives package removal. If someone copied .claude/settings.json\ninto the project root, or deleted node_modules\nwithout updating the lockfile, the hook remains. Confirm the hook entry is gone from .claude/settings.json\nbefore marking the machine clean.\n- npm\n- malicious-package\n- claude-code\n- supply-chain-security\n- malware\n- typosquatting\nAuthor\nKunal Singh\nsafedep.io\nShare\nThe Latest from SafeDep blogs\nFollow for the latest updates and insights on open source security & engineering\nMalicious durabletask on PyPI: Multi-Cloud Credential Stealer with Worm Capabilities\nThree compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP,...\nCompromised node-ipc on npm: Credential Stealer via DNS Exfiltration\nAnalysis of compromised node-ipc versions 9.1.6, 9.2.3, and 12.0.1 on npm: a maintainer account takeover injects an 80KB obfuscated credential stealer that targets 100+ sensitive files (SSH keys,...\nMini Shai-Hulud Strikes Again: 317 npm Packages Compromised\nA compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+...\nCache Poisoning Through pull_request_target: The TanStack Incident\nA GitHub user opened a PR against TanStack Router from a fork, poisoned the shared pnpm cache through a pull_request_target workflow, then force-pushed the branch clean. When the release pipeline...\nShip Code.\nNot Malware.\nStart free with open source tools on your machine. Scale to a unified platform for your organization.", "url": "https://wpnews.pro/news/malicious-npm-packages-backdoor-claude-code-sessions", "canonical_source": "https://safedep.io/malicious-npm-packages-claude-code-hooks", "published_at": "2026-05-13 12:00:00+00:00", "updated_at": "2026-05-19 22:29:23.726057+00:00", "lang": "en", "topics": ["cybersecurity", "open-source", "developer-tools", "artificial-intelligence", "large-language-models"], "entities": ["npm", "Claude Code", "SafeDep", "superbase", "micresoft", "microsoft-applicationinsights-common", "ms-graph-types", "Apache Iceberg"], "alternates": {"html": "https://wpnews.pro/news/malicious-npm-packages-backdoor-claude-code-sessions", "markdown": "https://wpnews.pro/news/malicious-npm-packages-backdoor-claude-code-sessions.md", "text": "https://wpnews.pro/news/malicious-npm-packages-backdoor-claude-code-sessions.txt", "jsonld": "https://wpnews.pro/news/malicious-npm-packages-backdoor-claude-code-sessions.jsonld"}}