Threat Intel

⚠️ Active Incident — March 31, 2026. If you ran npm install or npm update between March 30 evening UTC and March 31, check your systems now. See remediation steps below. 🔄 Developing Story — Attribution now resolved: Google GTIG has formally attributed this attack to UNC1069 (also tracked as Sapphire Sleet by Microsoft), a North Korea-nexus threat actor linked to BlueNoroff/Lazarus Group. The attack is confirmed unrelated to the concurrent TeamPCP campaign. Malicious versions have been taken down by npm. Full scope of affected organizations is still being assessed. This article will be updated as new information becomes available. Last updated: April 2, 2026 16:00 UTC. ...

🔄 Developing Story — Last updated: April 1, 2026 16:30 UTC. Anthropic has confirmed the leak and is issuing DMCA takedown notices. Security researchers have surfaced alarming findings including an undisclosed stealth mode and autonomous background agent. See Updates section below. Updates April 1, 2026 — 16:30 UTC Anthropic confirms; DMCA campaign begins. Anthropic has officially confirmed the leak was accidental. Boris Cherny, head of Claude Code at Anthropic, described it as a “plain developer error” — the Bun runtime generates source maps by default and nobody added *.map to .npmignore. The company is now issuing DMCA takedown notices to GitHub mirrors. Anthropic’s CNBC statement characterized the exposure as limited to tooling code: “no user data, prompts, or customer repositories were exposed.” The original npm package v2.1.88 was quietly unpublished. ...