At 4:23 AM ET, an intern spots a monster debug file in Claude Code's npm package. By breakfast, Anthropic's codebase is mirrored worldwide. No hackers. Just a forgotten .npmignore line.
Picture this: Your AI coding buddy fires off 'npm install axios' — and it's laced with malware. One dev built attach-guard to slam the brakes, turning Claude Code into a supply chain fortress.
Picture this: a Teams call with 'colleagues' from a polished fake company. One 'update' click later, North Koreans control your machine and poison a library with 100 million downloads. Open source just got conned.
Ever wonder if that quick 'npm install axios@latest' just handed your AWS keys to a stranger? On March 31, 2026, it did—for 40 million weekly users.
Nicholas Zakas, ESLint's creator, isn't mincing words: GitHub's npm security moves are 'table stakes,' not solutions. One big attack could shatter JavaScript's package empire.