https://www.getsafety.com/blog-posts/malicious-claude-code-package
Cybersecurity researchers have uncovered a vulnerability in the popular AI assistant “Claude,” which has been exploited by bad actors to create and distribute a malicious code package. The issue, disclosed by the GetSafety security team, highlights the growing need for heightened vigilance when it comes to the security of AI-powered tools.
The malicious package, masquerading as a legitimate “Claude” module, has been found on several open-source platforms, including PyPI and npm. When installed, the package covertly executes a series of commands that can potentially grant attackers remote access to the victim’s system, allowing them to steal sensitive data, install additional malware, or even gain complete control over the compromised device.
The researchers emphasise the importance of exercising caution when downloading and installing any third-party code, especially in the context of rapidly evolving AI technologies. They urge developers and users to thoroughly vet the source and integrity of any packages before incorporating them into their projects, and to keep their systems and software up-to-date with the latest security patches to mitigate the risks posed by such threats.