Case Study — Malicious Package Detection

A Fake Claude Code Package Deployed a C2 Server and Credential Stealer onto Developer Machines.

In October 2025, a malicious npm package impersonating Claude Code was published to the registry. In December 2025, 1,228 malicious packages were discovered across npm and PyPI in a single month. Here’s how Truvant’s Artifact Reputation Registry would have prevented this.

What Happened

Attackers are specifically targeting AI developers. These are real incidents from the npm and PyPI ecosystems in 2025–2026.

October 2025

Fake Claude Code Package
@chatgptclaude_club/claude-code

A malicious npm package impersonated the official Claude Code CLI. It deployed a credential stealer targeting Anthropic API keys and a bidirectional C2 server — giving the attacker persistent remote access to any machine that installed it.

Impact: Credential theft + remote access
May 2025

First Malicious MCP Server
postmark-mcp

The first confirmed malicious MCP server was discovered on npm. It masqueraded as a Postmark email integration but contained hidden functionality to exfiltrate environment variables and API keys from the developer’s machine.

Impact: Environment variable exfiltration
September 2025

Massive npm Supply Chain Attack
nx, coa, rc (compromised)

Attackers compromised multiple high-profile npm maintainer accounts through phishing, injecting cryptocurrency wallet stealers and credential harvesters into packages downloaded by millions of developers. CISA issued a formal advisory.

Impact: Millions of developers exposed
1,228
Malicious packages in Dec 2025 alone
121K
Downloads of typosquatted packages
9.6
CVSS score: mcp-remote RCE

How Truvant Prevents This

The Artifact Reputation Registry continuously scans package registries and builds a global reputation index. When you install an MCP server, skill, or plugin, Truvant already knows if it’s safe.

1

Continuous Registry Scanning

Truvant’s Trust Intelligence Service continuously monitors npm, PyPI, Docker Hub, and GitHub for new and updated MCP-related packages. Each artifact is analyzed for vulnerabilities, secrets, malicious patterns, and tool risk classification.

2

Global Reputation Index

Every analyzed artifact gets a risk score (0–100) and verdict: allow, warn, or deny. If 100 organizations install the same package, analysis runs once — all benefit from the shared result. Known malicious packages are flagged immediately.

3

Pre-Install Catalog Check

Before running local scanners, mcpctl scan queries the catalog. If the artifact is already known — whether safe or malicious — you get an instant verdict without waiting for a full local analysis.

4

Policy Enforcement

Artifacts that don’t meet your organization’s score threshold are blocked automatically. A package flagged as malicious in the registry never reaches any developer’s machine across your entire fleet.

What It Looks Like

Real scan output showing how Truvant catches malicious packages before they’re installed.

mcpctl scan @chatgptclaude_club/claude-code

npm:@chatgptclaude_club/claude-code
================================================================================
Score:     8/100 - Critical Risk
Publisher: UNVERIFIED (lustfully3904)
Status:   flagged

Findings Summary:
  Critical: 3  High: 2  Medium: 1  Low: 0

--------------------------------------------------------------------------------

[Critical] MAL001 - Bidirectional C2 Server
  Establishes persistent reverse shell to attacker-controlled endpoint
  Location: src/index.js:14
  MITRE ATLAS: AML.T0010 | OWASP LLM: LLM06 | OWASP Agentic: OASP-AGENT-05

[Critical] MAL002 - Credential Harvester
  Reads ANTHROPIC_API_KEY, AWS credentials, SSH keys from environment
  Location: src/collect.js:8
  MITRE ATLAS: AML.T0012 | OWASP LLM: LLM06

[Critical] MAL003 - Data Exfiltration
  POST request to external endpoint with harvested credentials
  Location: src/collect.js:42
  MITRE ATLAS: AML.T0024 | OWASP Agentic: OASP-AGENT-03

[High] SEC015 - Typosquatting Package Name
  Package name impersonates official Anthropic package: claude-code
  MITRE ATLAS: AML.T0010

Policy: FAIL (score 8 < threshold 60)
BLOCKED: Installation prevented by organization policy.
mcpctl scan postmark-mcp

npm:postmark-mcp
================================================================================
Score:     15/100 - Critical Risk
Publisher: UNVERIFIED
Status:   flagged

Findings Summary:
  Critical: 2  High: 1  Medium: 2  Low: 0

[Critical] MAL004 - Environment Variable Exfiltration
  Reads process.env and sends to external endpoint on MCP tool invocation
  Location: src/server.ts:23

[Critical] MCP001 - Hidden Tool Behavior
  Tool ‘send_email’ executes undocumented data collection alongside stated function
  Location: src/tools.ts:67

Policy: FAIL (score 15 < threshold 60)
BLOCKED: Installation prevented by organization policy.
Without Truvant
  • Developer runs npm install — malware executes immediately
  • No pre-install reputation check exists
  • Typosquatted packages look identical to real ones
  • Each org discovers threats independently
  • No fleet-wide visibility into what’s installed
With Truvant
  • Catalog check blocks known malware before install
  • Global reputation index — one org’s discovery protects all
  • Publisher verification flags impersonation
  • Continuous monitoring detects newly compromised packages
  • Fleet inventory: “who has package X?” in seconds

The Lesson

AI Developers Are the New Target

Attackers are publishing fake Claude Code packages, malicious MCP servers, and compromised AI tooling libraries specifically targeting developers adopting AI agents. The AI ecosystem is the new supply chain attack surface.

Collective Intelligence Wins

When one organization discovers a malicious package, every organization benefits. The Artifact Reputation Registry pools threat intelligence across the entire Truvant user base — the more organizations that participate, the faster threats are caught.

Scan Before You Install

npm and PyPI have no pre-install security gate. Truvant adds one — every MCP server, skill, and plugin is checked against the reputation registry before it reaches your machine. Known threats are blocked instantly.

See the full comparison →

Know what you’re installing before you install it.

Global artifact reputation. Pre-install security checks. Fleet-wide inventory.

Get Started Read another case study →