A massive supply chain attack has compromised over 400 modules across the NPM and PyPI repositories, with RubyGems now reporting hundreds of additional affected packages. This sophisticated campaign specifically targets developers to steal credentials via modules that appear cryptographically authentic, showing no immediate signs of tampering. The danger lies in the malware's persistence: it embeds itself into Claude Code hooks and VS Code automation tasks, meaning simply uninstalling the malicious packages will not clean the infected system.
If you have downloaded affected versions, follow these critical remediation steps immediately:
- Rotate all credentials and API keys linked to your development environment.
- Audit IDE directories for unauthorized scripts or modified automation tasks.
- Block known attacker-controlled infrastructure at the network level.
- Manually inspect
.vscode/tasks.jsonand Claude-related configuration files for hidden hooks.
Security researchers from BleepingComputer and the RubyGems team warn that this attack is designed to survive standard cleanup efforts. Developers are urged to check the latest lists of compromised modules on platforms like TabNews and verify their local IDE configurations for any persistent backdoors.
