Anthropic accidentally published an npm library that included a 59.8 MB .js.map file, exposing the internal source code of Claude Code. For 24 hours, malicious actors created fake GitHub repositories to distribute malware, tricking developers into downloading the leaked code.
Weaponizing Trust Signals: Claude Code Lures and GitHub Releases
Summary: Trend Micro reported an npm packaging error in Anthropic's library that exposed internal source code. Malicious actors quickly capitalized on this incident by distributing malware via false GitHub repositories, fooling developers with purported leak downloads.
Key facts
- Accidental exposure of 512,000 lines of TypeScript source code
- Rapid distribution of malware through fake GitHub repositories
- Deception campaign since February 2026 using AI lures
Why it matters
This incident highlights that threats do not always originate from software vulnerabilities but also from human errors and organizational gaps. Companies must implement governance measures to mitigate agent risks.
@trendaisecurity
Embedded content for: Weaponizing Trust Signals: Claude Code Lures and GitHub Releases