An active attack is planting backdoors inside Claude Code right now. If you use npm, your credentials may already be compromised.

A supply chain attack compromised 32 npm packages under @redhat-cloud-services (117,000 weekly downloads), then a second wave hit 57 more packages (647,000 monthly downloads) using evasion techniques that bypassed initial detection. The malware injects persistent code into Claude Code startup configs and VS Code project settings, surviving package removal. Revoking credentials before clearing the injected config triggers a home directory wipe with unrecoverable file overwriting.