Today’s Topics:
- Anthropic Introduces Claude Code Security for AI-Driven Vulnerability Scanning
- Malicious npm Campaign Harvests Crypto Keys, CI Secrets, and LLM Tokens
- How can Netizen help?
Anthropic Introduces Claude Code Security for AI-Driven Vulnerability Scanning
Anthropic has announced a new capability within Claude Code called Claude Code Security, an AI-assisted vulnerability scanning feature now available in limited research preview for Enterprise and Team customers. The release signals a clear shift in how AI is being positioned inside development environments. The model is no longer just generating code. It is actively reviewing it for security defects.
Claude Code Security scans a user’s codebase, identifies potential vulnerabilities, and proposes targeted remediation steps for developer review. The system does not automatically modify production code. Instead, it surfaces findings inside a dedicated dashboard, assigns severity levels, provides a confidence score, and presents suggested patches for explicit human approval. That human approval requirement is a critical architectural choice. It preserves change control discipline and avoids introducing automated remediation risk into secure development workflows.
Anthropic’s positioning is grounded in a reality security teams are already seeing. AI-assisted tooling can accelerate vulnerability discovery at scale. That acceleration benefits defenders, but it also benefits adversaries. As models become more capable of reasoning through application logic, tracing dependencies, and mapping data flows, the time required to identify exploitable weaknesses continues to shrink. Claude Code Security is designed to counterbalance that dynamic by placing similar reasoning capabilities into the hands of defenders.
The company claims the system goes beyond conventional static analysis. Traditional SAST tools rely heavily on rule-based detection and signature matching. They are effective at identifying known patterns such as injection flaws or unsafe function usage, but they often struggle with multi-step logic errors and contextual trust boundary violations. Claude Code Security is described as reasoning about the codebase in a way that more closely resembles a human security reviewer. It evaluates how components interact, traces data flows across services, and attempts to identify vulnerabilities that may not match predefined signatures.
False positive reduction is addressed through what Anthropic describes as a multi-stage verification process. Findings are re-analyzed before being presented to the user, and each issue is assigned both a severity rating and a confidence score. That layered review approach is intended to reduce alert fatigue and help development teams prioritize remediation based on impact and likelihood.
From a DevSecOps perspective, the practical question is integration. Organizations with mature pipelines already operate SAST, DAST, and software composition analysis tooling. Claude Code Security appears positioned as a reasoning layer that augments those deterministic systems rather than replaces them. Its value will depend on how effectively it complements existing scanners, how transparent its findings are, and how easily it can be incorporated into established approval workflows.
In regulated environments, governance will matter. Any AI-driven code analysis tool must support auditability, logging, traceability of decisions, and protection of proprietary source code. The explicit human-in-the-loop model helps address change management and accountability requirements that frameworks such as NIST SP 800-53, ISO 27001, and CMMC 2.0 expect organizations to enforce.
Claude Code Security remains in research preview, so operational maturity and real-world performance data are still emerging. Even so, the strategic direction is clear. AI is moving from a development accelerator to a security control embedded directly into the software lifecycle. For security leaders, the focus should be on disciplined adoption, governance alignment, and measurable reduction in vulnerability exposure rather than novelty.
Malicious npm Campaign Harvests Crypto Keys, CI Secrets, and LLM Tokens
Researchers have uncovered an active supply chain campaign leveraging at least 19 malicious npm packages to harvest developer credentials, cryptocurrency keys, CI/CD secrets, and API tokens. The operation, tracked by Socket under the name SANDWORM_MODE, resembles earlier Shai-Hulud-style worm activity, but with expanded functionality and more deliberate targeting of AI-assisted development environments.
The malicious packages were published under the npm aliases official334 and javaorg. They include typosquatted and deceptively named modules such as claud-code, crypto-reader-info, node-native-bridge, secp256, suport-color, and others. Four additional sleeper packages were identified that currently contain no malicious functionality but may serve staging or trust-building purposes.
The core payload is designed to extract system information, environment variables, access tokens, API keys, and cryptocurrency private keys from infected developer environments. Once harvested, the malware abuses stolen npm and GitHub credentials to publish additional malicious packages, effectively propagating itself through compromised identities.
This propagation model transforms the campaign from a one-off credential theft operation into a self-expanding supply chain worm. By compromising trusted publisher accounts, the attackers increase their distribution reach and reduce the likelihood of early detection.
The malware also embeds a weaponized GitHub Action capable of harvesting CI/CD secrets directly from build pipelines. Exfiltration occurs over HTTPS with DNS fallback, increasing resiliency if primary outbound channels are blocked.
The codebase includes a destructive routine designed to wipe the victim’s home directory if the malware loses access to GitHub or npm infrastructure. Although this wiper functionality is currently disabled by default, its presence significantly raises the risk profile of the campaign. It signals that the operators are prepared to transition from stealthy credential harvesting to disruptive retaliation if their infrastructure is disrupted.
Socket noted multiple feature flags and toggles within the code that suggest the threat actor is actively iterating. Some builds disable destructive routines or polymorphic rewriting, indicating staged deployment and ongoing refinement rather than accidental publication.
One of the most notable components is a module referred to as McpInject. This functionality targets AI coding assistants by deploying a malicious Model Context Protocol server and injecting it into local tool configurations.
The rogue MCP server masquerades as a legitimate tool provider and registers benign-looking utilities. Embedded within those utilities are prompt injections designed to extract sensitive files, including:
- ~/.ssh/id_rsa and ~/.ssh/id_ed25519
- ~/.aws/credentials
- ~/.npmrc
- .env files
These artifacts are staged locally for later exfiltration.
The module specifically targets developer tooling environments that integrate AI assistants, including Claude Code, Claude Desktop, Cursor, Microsoft Visual Studio Code Continue, and Windsurf. It also harvests API keys associated with major LLM providers, including Anthropic, Cohere, Fireworks AI, Google, Grok, Mistral, OpenAI, Replicate, and Together.
This marks a clear evolution in supply chain attacks. The objective is no longer limited to source code or infrastructure credentials. AI model access itself is now a target.
The malware contains a polymorphic engine configured to call a local Ollama instance running DeepSeek Coder. That engine can rewrite control flow, rename variables, inject junk code, and encode strings to evade detection. Although currently disabled in observed samples, the capability indicates preparation for more evasive future variants.
The attack unfolds in two stages. The first stage captures credentials and cryptocurrency keys. A second stage, activated after a delay of at least 48 hours with additional per-machine jitter, performs deeper harvesting, worm-like propagation, MCP injection, and full data exfiltration. The delayed execution complicates sandbox-based detection and incident response correlation.
Separate disclosures from Veracode and JFrog identified additional malicious npm packages, including buildrunner-dev and eslint-verify-plugin.
Buildrunner-dev delivers Pulsar RAT, an open-source .NET remote access trojan hosted inside a PNG image. The malware targets Windows, macOS, and Linux systems.
Eslint-verify-plugin masquerades as a legitimate ESLint utility but deploys a multi-stage infection chain. On Linux, it installs a Poseidon agent tied to the Mythic C2 framework, enabling credential harvesting, lateral movement, and file operations. On macOS, it executes Apfell, a JavaScript for Automation agent capable of extensive data collection and privilege escalation through the creation of a new administrator account.
Stolen data includes system information, browser artifacts, clipboard contents, password dialog captures, iCloud Keychain files, Chrome cookies and login data, screenshots, and file metadata.
Checkmarx also reported a rogue VS Code extension called solid281, impersonating the official Solidity extension. It deploys an obfuscated loader that installs ScreenConnect on Windows and a Python reverse shell on macOS and Linux. The targeting of Solidity developers aligns with broader patterns of developer-focused compromise.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
Leave a comment