Npm

⚠️ Past Incident — March 31, 2026. If you ran npm install or npm update between March 30 evening UTC and March 31, check your systems now. See remediation steps below. ✅ Story Concluded — Attribution resolved (UNC1069 / Sapphire Sleet — North Korea/BlueNoroff), malicious versions removed, maintainer post-mortem published, social engineering vector fully confirmed. No further updates scheduled. Last updated: April 7, 2026 15:00 UTC. Updates 2026-04-07 15:00 UTC — Final Wrap-Up: Social Engineering Vector Confirmed as Fake Teams Call; Dependency Cooldown Emerges as New Best Practice; Story Concluded ...

🔄 Developing Story — Last updated: April 3, 2026 16:30 UTC. Deny-rule security bypass discovered and silently patched in v2.1.90. Trojanized leak repos spreading Vidar infostealer and GhostSocks malware. See Updates section below. Updates April 3, 2026 — 16:30 UTC Patch released; security bypass confirmed; malware campaign underway. First patched version: v2.1.90. Anthropic silently released Claude Code v2.1.90, fixing a security vulnerability disclosed by Adversa AI that was discovered directly through analysis of the leaked source. No public changelog or advisory was issued. Users still running v2.1.88 or any version below v2.1.90 should upgrade immediately. The original v2.1.88 package remains unpublished on npm. ...