Cybersecurity Headlines Axios poisoned, TeamPCP details, Claude Code leaked
9 snips
Apr 1, 2026 A maintainer account takeover added a malicious NPM dependency targeting multiple OSes. Research reveals an access broker validating stolen secrets and working with extortion groups. An accidental source-map leak exposed internals of a major AI model. Reports cover supply chain risks for quantum computing and a hefty fine for improper data access.
AI Snips
Chapters
Transcript
Episode notes
NPM Account Hijack Used Malicious Dependency Injection
- Attackers hijacked the Axios maintainer's NPM account and added a malicious dependency instead of modifying Axios code directly.
- They pushed the dependency manually via NPM CLI to bypass GitHub Actions and deliver OS-specific payloads for Windows, macOS, and Linux.
Team PCP Rapidly Validates Stolen Secrets
- Wiz researchers found Team PCP validates stolen secrets within hours and performs AWS discovery against validated keys within a day.
- The group collaborates with extortion and ransomware gangs and acts as an initial access broker clearinghouse.
Anthropic Source Map Leak Revealed Claude Internals
- A JavaScript source map for Claude Code was accidentally published to NPM and archived across GitHub before Anthropic removed it.
- The leak exposed Claude's three-layer memory architecture, Keros daemon mode, roadmap, and an undercover prompt for public contributions.