Malicious npm Package Stole Claude AI Files via GitHub

A malicious npm package has been caught stealing files from the Claude AI user directory and uploading them directly to GitHub. The attack is a sharp reminder that supply chain threats don't just target your production code. They target the tools and AI assistants your developers use every day.

How the Malicious npm Package Worked

The package embedded file-harvesting logic that specifically targeted directories associated with Claude AI's local configuration and user data. Once installed, it silently scanned the victim's filesystem for files in known Claude user paths, collected whatever it found, and exfiltrated the data by pushing it to an attacker-controlled GitHub repository.

Using GitHub as the exfiltration channel is deliberate. GitHub traffic is almost never blocked by corporate firewalls or endpoint security tools. It blends in. Most organizations whitelist github.com without a second thought, which makes it a reliable data drop point for attackers who want to avoid triggering network-based detection.

The package likely spread through typosquatting or dependency confusion, two techniques that continue to work because developers install packages quickly and rarely audit every transitive dependency.

What Data Was at Risk

Claude AI stores user-specific data locally, including conversation history, API keys, and configuration files depending on how the client is set up. Any of that material sitting in the targeted directory was fair game.

For developers using Claude as a coding assistant, the exposure could include source code snippets, internal prompts, API credentials passed through the assistant interface, and environment-specific configuration. That's a significant blast radius from a single npm install.

Why This Attack Pattern Is Hard to Catch

Standard static analysis won't flag this easily. The exfiltration logic can be obfuscated, executed as a postinstall script, or hidden inside a dependency several layers deep. By the time a developer notices something odd, the files are already sitting in a GitHub repo the attacker controls.

Runtime behavior monitoring helps, but most developer environments don't have it enabled. Security tooling in CI/CD pipelines tends to focus on known CVEs, not on behavioral anomalies like unexpected outbound file writes followed by git operations.

This attack also exploits trust. Developers trust npm. They trust GitHub. The attacker weaponized both.

How to Protect Your Environment

Start with your npm install habits. Run npm audit but don't stop there. Use tools like Socket.dev or Snyk to catch behavioral signals in packages before you install them.

Lock your dependency tree. A package-lock.json file alone isn't enough if you're pulling from the npm registry without integrity verification. Use npm ci in your pipelines and verify checksums where possible.

Restrict postinstall scripts. You can disable them globally with npm config set ignore-scripts true and selectively enable only what you actually need. Most legitimate packages don't need postinstall hooks.

Audit what directories your development tools have access to. If Claude AI or any other AI assistant stores data locally, understand exactly where that is and make sure other processes on your machine can't silently read from it.

Check your GitHub organization for unexpected repositories or forks you don't recognize. If an attacker exfiltrated to a public or private repo, there may be traces in your GitHub audit log.

You can also scan your web application at VibeWShield to identify exposed endpoints or misconfigurations that could make a supply chain compromise worse.

Q: How do I check if I installed the malicious package? Review your package.json and node_modules for unfamiliar packages, check npm install logs, and run a filesystem audit to see if any unexpected reads occurred in your Claude user directory recently.

Q: Can this happen with other AI tools, not just Claude? Yes. Any AI assistant that stores local user data is a potential target. Attackers will go after whatever directories are predictably populated on developer machines.

Q: Is using GitHub for exfiltration a common technique? It is becoming more common because it bypasses most network-level controls. Attackers also use Discord webhooks and Pastebin for the same reason. Outbound traffic to trusted platforms rarely triggers alerts.

Scan your application for supply chain and configuration vulnerabilities now at VibeWShield.