Claude Code Hook Backdoors
Five npm packages (iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, ms-graph-types) that abuse Claude Code hooks to backdoor AI coding sessions.
discovered 2026-05-13
Objective
Backdoor developer AI coding sessions via Claude Code hooks.
Packages
Indicators
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1539 Steal Web Session Cookieuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1102 Web Serviceuses
- ttpT1546 Event Triggered Executionuses
