I recently discovered some serious security issues involving malicious npm packages that are specifically targeting AI coding tools. I ran a scanner overnight and it found 21 malicious packages related to 11 different campaigns within about 2000 recent npm changes. Some of the alarming findings include:
1. A package called 'makecoder' hijacks your Claude Code configuration during installation, routing all API calls through their own server, which essentially means every conversation gets intercepted.
2. Another package, 'skillvault', fetches encrypted payloads from a remote API to install as skills for Claude Code, making it impossible to inspect the payloads since they can change without an npm update.
3. 'keystonewm' and 'tsunami-code' are disguised as AI coding assistants but actually function as Remote Access Trojans (RATs), passing everything through an attacker's tunnel.
4. There are also six fake Strapi plugins that exploit Redis to write files across the host, create a reverse shell, and potentially steal sensitive information like SSH keys and crypto wallets.
Additionally, I found various other threats including a credential stealer that targets Verisign and an obfuscated package tied to ByteDance's u/volcengine scope. What's shocking is that none of these were flagged by any public scanners when I found them! I've got full reports available on my site with more details.
5 Answers
NPM has its flaws, but the real issue here seems to be how the registry allows arbitrary code execution during installation. If postinstall hooks required approval from users, these attacks wouldn't be possible.
Some comments are just self-promotion rather than helpful advice. Let's focus on discussing actual solutions and staying aware of these threats!
It's definitely concerning! The 'makecoder' issue is particularly nasty since it can access your context. Attackers can map your full setup and may even inject malicious code into future conversations. I suggest auditing your `~/.claude/` directory just like you would with `~/.ssh/` to ensure nothing's compromised.
The context massively changes what we consider malicious. What's your current setup? That would help clarify the risks you're facing.
For anyone wanting deeper insights, I've compiled full technical reports with Indicators of Compromise (IOCs) and code analysis on my site. It's a bit of a wake-up call for those using these tools!
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically