- 5
- April
After the Claude Code source code leaked on March 31, 2026, what followed was the discovery of multiple critical vulnerabilities by security researchers worldwide — from Deny Rules that could be bypassed, to Supply Chain Attacks and Malware piggybacking on the incident. This EP 2/3 article analyzes each vulnerability in detail.
Quick Summary — What Vulnerabilities Were Found?
Three major threats were discovered: (1) Deny Rules Bypass vulnerability — when commands exceed 50 subcommands, the system skips all security checks entirely (2) Supply Chain Attack — a fake axios version with an embedded RAT (3) Fake GitHub repos designed to trick users into downloading malware
Vulnerability #1 — Deny Rules Bypass (Critical)
After the source code leaked, the Red Team from Adversa AI analyzed the code and discovered a critical vulnerability in Claude Code — when a command contains more than 50 subcommands, the entire security system is silently skipped, including Deny Rules, Security Validators, and Command Injection Detection.
The most dangerous aspect is that the 51st command falls back to "ask as required" mode — but the user receives no warning whatsoever that Deny Rules have been bypassed.
| Scenario | Deny Rules | Security Validators | Command Injection Detection | Result |
|---|---|---|---|---|
| command ≤ 50 | Active | Active | Active | Safe |
| command > 50 | Bypassed | Bypassed | Bypassed | Dangerous |
Attack Method — CLAUDE.md Attack Vector
Attackers can exploit this vulnerability by embedding malicious commands in CLAUDE.md (the Claude Code configuration file located in the repository) — a technique similar to SQL Injection or XSS attacks that embed commands in locations the system reads automatically.
Steps of the attack:
- The attacker embeds malicious commands in the repository's CLAUDE.md — disguised as normal build steps
- Creates a pipeline with 50+ subcommands that appear to be routine tasks
- The 51st command executes without any security checks
- The attacker can exfiltrate sensitive data from the victim's machine
Examples of data attackers could steal:
- SSH Private Keys
- AWS Credentials
- GitHub Tokens
- npm Tokens
- Environment Secrets
- Browser Cookies
Has Anthropic Fixed This?
After Adversa AI reported this vulnerability, Anthropic quietly patched it in Claude Code v2.1.90 without an official announcement initially. However, reports from CSO Online indicate that the vulnerability may still be partially exploitable — organizations using Claude Code should always update to the latest version and implement two-factor authentication (2FA) as an additional safeguard.
Vulnerability #2 — Supply Chain Attack (Fake axios)
During the source code leak window (March 31, 2026, 00:21-03:29 UTC), another serious incident occurred — someone published a fake version of axios containing a Remote Access Trojan (RAT) on npm.
axios versions 1.14.1 and 0.30.4 published during that time window contained an embedded RAT — anyone who installed or updated Claude Code via npm during that period may have received the malicious code.
| Time (UTC) | Event |
|---|---|
| 00:21 | Sourcemap leaked → npm package published |
| 00:21-03:29 | Fake axios versions (1.14.1, 0.30.4) published with embedded RAT |
| 03:29 | Anthropic removed the package from npm |
What Could the RAT Do?
The Remote Access Trojan (RAT) embedded in the fake axios allowed attackers to remotely control the victim's machine — including stealing credentials, installing additional malware, and accessing files on the machine.
What makes this particularly concerning is that most victims were software developers who typically have access to production systems, cloud credentials, and internal organizational systems — meaning the impact could extend far beyond the personal machine.
Vulnerability #3 — Malware Hidden on GitHub
Beyond the Supply Chain Attack, malicious actors also took advantage of the situation — a GitHub user named "idbzoomh" created a fake repository claiming to be the "Claude Code source code" to lure people into downloading it.
But what was actually hidden inside was two pieces of malware:
| Malware | Type | What It Steals/Does |
|---|---|---|
| Vidar | Infostealer | Steals credentials, credit card data, browsing history |
| GhostSocks | Proxy Trojan | Uses the victim's machine as a network proxy — attackers can route traffic through the victim's machine |
Vidar is a well-known infostealer in the cybercrime world — capable of stealing account credentials, credit card information, and entire browser histories. GhostSocks turns the victim's machine into a proxy for routing network traffic — which could be used to attack other targets.
Risks from the Leaked Source Code
What makes the long-term situation concerning is that the leaked source code has already been analyzed by thousands of developers, researchers, and malicious actors:
- Ported to Rust and Python — and distributed across multiple channels
- Potential for discovering additional vulnerabilities — knowing the internal architecture helps attackers craft more precise targeted attacks
- Deny Rules may be bypassable through other methods — that have not yet been discovered
- Knowledge of the tool permission system — enables creation of more sophisticated prompt injections
Security Lessons from This Incident
The Claude Code source code leak serves as an important lesson for every organization using AI tools in their workflow — whether code-writing tools, code review systems, or various AI assistants.
What Organizations Should Do
- Always audit your dependencies — use tools like npm audit, Snyk, or Dependabot
- Have a policy for AI tools — define which AI tools can be used, which cannot, and how they should be used
- Enable 2FA on all accounts — especially GitHub, npm, AWS, and cloud providers
- Use ERP systems that pass security audits — choose systems with verifiable security standards
- Monitor the supply chain — set up alerts for dependencies with suspicious version changes
Summary — 3 Vulnerabilities Found After Claude Code Leak
| Vulnerability | Severity | Fix Status |
|---|---|---|
| Deny Rules Bypass (command > 50) | Critical | Fixed in v2.1.90 (may still be partially exploitable) |
| Supply Chain Attack (fake axios + RAT) | Critical | Package removed — but those who installed during 00:21-03:29 UTC may be affected |
| GitHub Malware (Vidar + GhostSocks) | High | Repo deleted — but those who downloaded may be infected |
A source code leak is not just an intellectual property issue — it opens the door for researchers and malicious actors to discover hidden vulnerabilities exponentially faster.
— Saeree ERP Team
Continue Reading — EP 1 and EP 3
- EP 1: Claude Code Source Code Leak — What Happened?
- EP 3: Long-Term Impact and Lessons for Organizations
References
- SecurityWeek — Critical Vulnerability in Claude Code Emerges Days After Source Leak
- Adversa AI — Claude Code Security Bypass: Deny Rules Disabled
- The Register — Fake Claude Code source downloads delivered malware
- BleepingComputer — Claude Code leak used to push infostealer malware on GitHub
- Zscaler ThreatLabz — Anthropic Claude Code Leak
If your organization is looking for an ERP system that prioritizes security and passes security audit standards, you can schedule a demo or contact our advisory team for further discussion.
