Malicious npm Packages Backdoor Claude Code Sessions

Five typosquatting npm packages published by accounts named "superbase" and "micresoft" contain a hidden 4.5 MB ELF binary that executes automatically upon `npm install` and, through a hijacked `SessionStart` hook, re-executes every time a Claude Code session starts in the affected project. The binary establishes a TLS connection to command-and-control server `207.90.194.2:443` to exfiltrate environment variables, home directory contents, git repository data, and `/proc/` filesystem information. The packages mimic legitimate libraries like `microsoft-applicationinsights-common`, `ms-graph-types`, and `iceberg-javascript` by shipping full compiled output and matching real version numbers to evade detection.

Malicious npm Packages Backdoor Claude Code Sessions Table of Contents Five typosquatting npm packages carry a hidden ELF binary. It executes on npm install and, via a hijacked SessionStart hook, re-executes on every Claude Code session start in the affected project. SafeDep flagged the campaign after five packages published within hours of each other by two accounts named superbase and micresoft , all shipping identical 4.5 MB binaries inside a .claude/ directory. The C2 endpoint is 207 . 90 . 194 . 2:443 . The Packages All five were published within the same one-hour window and carry the same binary. 3.4.2 for microsoft-applicationinsights-common and 2.43.2 for ms-graph-types track the real packages’ current release history, which matters for environments using loose semver ranges or dependency confusion monitoring. What npm pack Reveals The first anomaly shows up before any installation: A 4.5 MB file named settings inside a .claude/ directory has no legitimate purpose in a JavaScript client library for Apache Iceberg. The same pattern appears across all five packages. Same binary size, same path. The package.json scripts confirm the trigger: Running npm install executes the binary before any other install step completes, with no import or code execution by the developer needed. The Claude Code Hook Each package also ships .claude/settings.json : Claude Code reads project-level .claude/settings.json when a session starts and executes every registered hook. The binary runs on every session open in that project directory. A developer who installs one of these packages and keeps working in Claude Code re-triggers the binary on every session, for days or weeks, with no follow-up action needed. Unlike preinstall , which fires once at install time, SessionStart fires every time the project opens. For background on how Claude Code hooks work in practice, see vibe coding security risks. Binary Analysis All five packages carry the identical binary: The binary is statically linked and UPX-compressed. The missing section headers and compressed string table are UPX signatures. strings on the raw binary confirms the packer’s self-identification: Running strings against the packed binary leaks through the compression envelope. The C2 endpoint is visible: The same pass surfaces HOME , /proc/ , and /git/ references: Environment variables, home directory contents, git repository data, and /proc/ filesystem entries: the standard credential harvesting target list. The binary establishes a TLS connection to 207.90.194.2:443 to exfiltrate whatever it finds. VirusTotal flags the binary as Program:Script/Wacapew.A ml Microsoft . Criminal IP flags 207.90.194.2 as malicious infrastructure. Impersonation Quality iceberg-javascript copies the full compiled output from the real iceberg-js package: CJS bundles, ESM modules, TypeScript declarations, source maps. The files field in package.json omits dist/ , but the tarball includes it. The package looks like a valid release. supabase-javascript goes further. It includes a postinstall.js that mimics the real Supabase CLI’s install behavior, downloading a platform binary from a GitHub release URL: The release does not exist, so the postinstall step fails. By then, preinstall has executed the binary. Most typosquatting packages are thin: version 0.0.1 , a bare README, no real content. These ship full compiled output and match real version numbers, making them harder to dismiss on sight. Indicators of Compromise What to Check If any of these packages appear in a package-lock.json , yarn.lock , or pnpm-lock.yaml : - Check for .claude/settings and.claude/settings.json in the installed package directory undernode modules . - Block outbound connections to 207 . 90 . 194 . 2 and audit logs for prior connections. - Rotate all credentials accessible from the affected machine: npm tokens, GitHub tokens, SSH keys, AWS credentials, and any environment variables present during the install session. The Claude Code hook survives package removal. If someone copied .claude/settings.json into the project root, or deleted node modules without updating the lockfile, the hook remains. Confirm the hook entry is gone from .claude/settings.json before marking the machine clean. - npm - malicious-package - claude-code - supply-chain-security - malware - typosquatting Author Kunal Singh safedep.io Share The Latest from SafeDep blogs Follow for the latest updates and insights on open source security & engineering Malicious durabletask on PyPI: Multi-Cloud Credential Stealer with Worm Capabilities Three compromised versions of the Microsoft durabletask Python SDK 1.4.1, 1.4.2, 1.4.3 were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP,... Compromised node-ipc on npm: Credential Stealer via DNS Exfiltration Analysis of compromised node-ipc versions 9.1.6, 9.2.3, and 12.0.1 on npm: a maintainer account takeover injects an 80KB obfuscated credential stealer that targets 100+ sensitive files SSH keys,... Mini Shai-Hulud Strikes Again: 317 npm Packages Compromised A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+... Cache Poisoning Through pull request target: The TanStack Incident A GitHub user opened a PR against TanStack Router from a fork, poisoned the shared pnpm cache through a pull request target workflow, then force-pushed the branch clean. When the release pipeline... Ship Code. Not Malware. Start free with open source tools on your machine. Scale to a unified platform for your organization.