[r/ClaudeAI]score: 0.32

Active npm Supply Chain Attack Backdoors Claude Code and VS Code Configs

June 8, 2026

A two-wave malware campaign compromised 89 npm packages totaling over 760,000 monthly downloads, injecting persistent code into Claude Code startup settings and VS Code project configs that survives package removal, silently exfiltrates credentials, and can wipe the home directory if tokens are revoked before the malware is cleaned. Some malicious versions remain live on the npm registry.

HOW THIS AFFECTS YOU

●

builderAudit your Claude Code and VS Code configs immediately for injected scripts, especially if you installed any @redhat-cloud-services packages recently — uninstalling the package alone does not remove the malware.

●

policyThis self-propagating, persistence-capable supply chain attack targeting developer tooling at scale represents a significant threat vector worth tracking for software security governance frameworks.

read original ↗reddit.com

← back to feed