npm, March 31: RAT in Axios and Half a Million Lines of Claude Code on GitHub

I wake up in the morning, open my feed — and right away, two incidents. Both about npm. Both serious. And both happened on the same day. The first one — in Axios (yes, the one that's everywhere) — spread a RAT trojan for three hours. The second — Anthropic accidentally published the full source code of Claude Code in a public npm package. Half a million lines with prompts and architecture. Good morning, indeed :) Axios: 3 hours was more than enough What happened Someone hijacked the npm account of Jason Saayman (jasonsaayman) — the main maintainer of Axios. They changed the linked email and manually published two versions: "[email protected]" — to the latest branch "[email protected]" — to the legacy branch The versions were live in the public registry from about 00:21 to 03:15 UTC on March 31. Three hours. For a package with over 100 million weekly downloads, that's more than enough. How the attack worked The nastiest part: the Axios code itself wasn't touched. Not a single line. Open the sourc