Claude Code Security Risk: What the Active npm Attack Means for Your Business

THE SHORT ANSWER

An active malware campaign has compromised npm packages used by Claude Code and VS Code users. If you or your team installed affected packages, attackers may already have your cloud credentials, SSH keys, and API tokens. Uninstalling the package is not enough. The malware survives in your editor config files and runs every time you open your tools. IT Accuracy monitors Los Angeles businesses for exactly these kinds of threats before they become catastrophic.

IT Accuracy  |  Managed IT Services, Los Angeles  |  Date: June 19, 2026 |  9 min read

Abstract cybersecurity illustration representing npm supply chain attack targeting Claude Code developer environments in Los Angeles

AT A GLANCE

⚠️89 npm packages compromised across two attack waves in June 2026
⚠️764,000 combined monthly downloads affected
Malware plants itself in Claude Code and VS Code config files and runs automatically every time you open your editor
Credentials stolen: AWS, GCP, Azure, GitHub, SSH keys, Kubernetes configs
⚠️Revoking credentials before removing the malware triggers a home directory wipe — do not revoke first
⚠️TeamPCP open-sourced the worm’s code on May 12. Copycat attacks already active.
IT Accuracy audits developer environments and catches exactly these kinds of threats before they cost Los Angeles businesses data and infrastructure.

This is not a theoretical risk. The attack is running right now. Some malicious package versions are still live on the npm registry. Here is what happened, what is still at risk, and what you need to do in the right order.

What Is the Claude Code Security Risk?

Claude Code is Anthropic’s AI-powered coding assistant. It runs directly on your machine and connects to tools like VS Code. Like most developer tools, it reads from local configuration files that tell it how to behave when you open a project or start a session.

Attackers discovered that those configuration files are a reliable hiding spot for malicious code. Because the files run automatically every time you open Claude Code or a project folder, anything planted inside executes silently in the background without prompting you.

That is the core of this Claude Code security risk. The malware does not need your password. It does not need you to click anything. It needs you to open your editor.

 

What Happened: Two Waves, One Playbook

On June 1, 2026, security researchers confirmed that 32 npm packages published under the @redhat-cloud-services namespace had been poisoned. Those packages had approximately 117,000 weekly downloads. Three days later, a second wave hit 57 more packages using a new technique designed to bypass the tools that caught the first wave. That second wave carried 647,000 monthly downloads.

Once the malicious package lands on a machine, it works in three stages. It scans for every credential it can find. It plants itself in your editor config files so it survives package removal. And if you attempt to revoke access before cleaning those files, it wipes your home directory and overwrites files so they cannot be recovered.

That third behavior is not an accident. It is a deliberate deterrent built into the malware to make organizations think twice before locking the attacker out. The order in which you respond matters enormously.

Code editor with a security warning overlay representing malware hidden in a Claude Code configuration file

Scale of the attack in numbers

Packages compromised

89

Across both attack waves in June 2026

Victim organizations

487

Confirmed globally across all TeamPCP operations

Secrets harvested

300K

Credentials stolen across all campaigns

GitHub repos for sale

$50K

Asking price for 3,800 stolen GitHub internal repos

The threat most businesses do not know about

TeamPCP open-sourced the worm’s code on May 12, 2026. Any attacker can now build their own version targeting different packages, different editors, or different config files. Copycat campaigns are already active. If you use any developer tools that read from local config files, the exposure window from this technique is now permanent.

How One Stolen Password Made All of This Possible

The attacker did not find a software vulnerability. They obtained one Red Hat employee’s GitHub login, most likely stolen weeks earlier by credential-harvesting malware that silently copies saved passwords from browsers.

With that single login they pushed malicious code directly into Red Hat repositories, then triggered Red Hat’s own automated build pipeline. The poisoned packages came out with valid security certificates because Red Hat’s own systems built them. Standard security scanners found nothing because the code was brand new with no known signature.

This is what makes supply chain attacks so difficult to defend against with traditional tools. The malware arrives wrapped in something your systems already trust. For more technical detail see the Microsoft Threat Intelligence report.

Who Is Behind This and How Far Has It Spread?

The group is known as TeamPCP. Red Hat is their latest target, not their first. Confirmed victims include GitHub (3,800 internal repositories stolen, listed for sale at $50,000), Mistral AI (450 repositories, $25,000), OpenAI employees, the European Commission (more than 90 GB exfiltrated), Eli Lilly, TanStack, UiPath, Zapier, and Postman. Fortune 500 banks, a major semiconductor manufacturer, and multiple government agencies are confirmed victims but not publicly named.

Why Standard Security Tools Did Not Catch This

Antivirus software looks for known threat signatures. This malware had none. Firewalls monitor network traffic. This malware moved through trusted build pipelines. The packages even carried valid security certificates. There was nothing for signature-based tools to flag.

What catches these threats is behavioral monitoring and rapid response. Watching for a config file that starts sending data to an unknown endpoint. Flagging unusual credential access patterns before the damage spreads. Having a tested incident response process in place before an attack happens, not during.

Standard Security Tools

Why they missed this

  • Signature-based antivirus — no known signature existed
  • Firewall — traffic moved through trusted pipelines
  • Valid certificates — packages passed code signing
  • No prior threat intel on TeamPCP’s new technique
  • Detection came hours after hundreds of thousands of downloads

Behavioral Monitoring (IT Accuracy)

What catches it

  • Config file communicating with unknown endpoint — flagged
  • Unusual credential access pattern — detected before spread
  • Incident response plan ready before attack happens
  • Developer environment audit catches persistence indicators
  • Supply chain risk monitoring for npm dependencies

If you or anyone on your team installs npm packages, follow these steps in this exact order. The sequence matters. Do not revoke credentials before you have cleaned the config files.

Response steps for Los Angeles businesses

1
Do not revoke credentials yet. Revoking access before cleaning the config files triggers the home directory wipe. This step must come last, not first.
2
Check ~/.claude/settings.json (Mac/Linux) or %APPDATA%\Claude\settings.json (Windows). Look for any script, command, or URL you did not put there. If you find anything unfamiliar, document it before removing it.
3
Check .vscode/tasks.json inside every project folder you work in. Same check. Anything unfamiliar should be treated as a confirmed compromise.
4
Remove any malicious content from both files completely. Save the files. Confirm the changes are in place before proceeding.
5
Now rotate all credentials. AWS, Google Cloud, Azure, GitHub tokens, npm tokens, SSH keys. All of them, in this order, after the files are clean.
6
Review access logs for all those services going back to early June 2026. Look for any access events that do not match your team’s normal patterns.
7
Contact your IT team or managed security provider immediately. IT Accuracy can handle containment and credential rotation for Los Angeles businesses that need support right now.

How IT Accuracy protects Los Angeles businesses from supply chain attacks

We catch the threats that standard tools miss before your credentials are gone.

The npm supply chain attack succeeded because it bypassed signature-based detection entirely. What catches it is behavioral monitoring — watching for a developer’s config file to start communicating with an unfamiliar server, flagging unusual credential access before the damage spreads, having a tested incident response process already in place.

IT Accuracy manages the security environment for Los Angeles businesses so that attacks like this are containable rather than catastrophic. If your team uses developer tools, AI coding assistants, or cloud infrastructure and you do not have behavioral monitoring in place, now is the time to change that.

Endpoint monitoring for behavioral anomalies beyond known signatures
Credential exposure audits across cloud and developer tool accounts
Incident response planning before an attack happens, not during
Config file and editor security review for developer environments
Supply chain risk monitoring for npm and third-party dependencies
Ongoing support from a team that understands Los Angeles SMB operations

TAGS

IT Accuracy