Supply Chain & Security Incidents (March-April 2026)
The Claude Code source leak occurred during the most concentrated supply chain attack campaign in recent npm/PyPI history. The timing was operationally significant — security architecture was exposed while the tools it was built on were being actively compromised.
Timeline of Concurrent Events
| Date | Event | Impact |
|---|---|---|
| March 19 | TeamPCP compromises Trivy (76/77 version tags) | Pipeline credentials across all CI/CD running Trivy |
| March 20-24 | Checkmarx KICS compromised via stolen Trivy credentials | Additional pipeline credential access |
| March 25-27 | LiteLLM compromised (CVE-2026-33634, CVSS 9.4) | All AI provider credentials (Anthropic, OpenAI, AWS, 100+ more) |
| March 26 | Claude Mythos CMS leak (Fortune) | Model capabilities exposed |
| March 26 | Pentagon blacklist injunction (Judge Lin) | Legal/geopolitical context |
| March 31, 00:21-03:29 | Axios npm compromise (malicious RAT versions) | Any npm install during window compromised |
| March 31, ~04:00 | Claude Code v2.1.88 pushed (with source map leak) | Full 512K-line source exposed |
| March 31, same day | Typosquat packages targeting leaked dependency names | Developers compiling from source targeted |
| April 1-2 | Phoenix Security: 3 CWE-78 vulnerabilities confirmed | Full cloud credential exfiltration paths |
| April 1-3 | v2.1.89-91 patch wave (9 features, 41 fixes, 14 improvements) | Partial security response |
| April 4 | Adversa AI: deny-rules bypass disclosed | 50-subcommand threshold silently disables security |
The Security Architecture Paradox
Claude Code's security model faces a fundamental tension surfaced by these incidents:
"The safety mechanism and the attack surface are the same thing." The permission pipeline, bash security validator, and auto-mode classifier are designed to prevent dangerous operations. But they are also the first thing an attacker analyzes when the source is exposed. Every security check is simultaneously a roadmap for bypassing it.
The 93% problem: Users already approved 93% of permission prompts, conditioning themselves to rubber-stamp approvals. The 7% of genuinely dangerous operations were lost in a stream of low-risk confirmations. Auto mode was designed to handle the 93% without human involvement — but the underlying trust model was already broken before auto mode existed.
Vulnerability Classes
Command Injection (CWE-78)
Three confirmed vulnerabilities from execa called with shell: true and unsanitized string-interpolated arguments:
- VULN-01: $TERMINAL environment variable — code execution before trust dialog
- VULN-02: Credential helper path in settings.json — any malicious project settings.json executes arbitrary commands during auth
- VULN-03: Third unspecified sink
Blast radius: full access to ~/.ssh/, AWS credentials, ANTHROPIC_API_KEY, GITHUB_TOKEN, deploy tokens.
Deny-Rules Bypass (50-Subcommand)
bashPermissions.ts lines 2162-2178: a hard-coded constant "Maximum Safe Check Sub-Commands" set to 50 causes deny rules to silently stop working for long command chains. PoC: 49 true no-ops + malicious curl. Tree-sitter parser fix exists in codebase but is not enabled for external builds.
Production Data Deletion (Issue #35584)
35,254 customer records + 35,874 billing transactions deleted without confirmation when Claude interpreted "clean dashboard from test numbers" as including real customer data.
The Fabrication Problem
Not all reported vulnerabilities and features were real. The UDS Inbox (Unix domain socket inter-session messaging) was widely reported as a "bombshell feature" but has zero references in the 512K-line codebase. Enterprise security responses and competitor roadmap decisions were influenced by this fabricated claim. Podoliako's systematic verification found roughly half the "bombshell features" didn't survive source verification.
Lessons for the Field
- Security tooling is the highest-value supply chain target — tools with pipeline access are ideal credential harvesters when compromised
- Source leaks are security events, not just IP events — the architecture itself becomes the attacker's roadmap
- Verify before reacting — half the dramatic claims were fabricated, but enterprise decisions were made on them
- The gap between security architecture and security reality — sophisticated permission systems don't help when 93% of prompts are rubber-stamped
Related Entities
execa-vuln— command injection vulnerabilitiesdeny-rules-bypass— 50-subcommand thresholdissue-35584— production data deletionteampcp-supply-chain— the nine-day campaignpermission-pipeline— the security architectureauto-mode-classifier— the ML-based risk classifieruds-inbox-fabricated— the feature that never existed