Typosquatting npm Packages Exploit Claude Code SessionStart Hooks to Deploy Persistent Developer Backdoors

A newly identified supply chain attack is targeting software developers through typosquatting npm packages that weaponize Claude Code's SessionStart hooks to establish persistent backdoors on infected systems. The campaign delivers a statically linked, UPX-compressed ELF binary that activates during package installation and re-triggers automatically each time Claude Code sessions start, creating a resilient foothold on developer machines.

Security researchers at SafeDep.io identified five malicious packages, including impersonators such as `iceberg-js` and `@microsoft/applicationinsights-common`, which appear to mimic legitimate libraries. These packages embed an identical 4.5 MB ELF binary (MD5: b604b21749a396111bb111d46d97b1c4) within hidden `.claude/` directories. The malware executes via `preinstall` scripts during npm installation and achieves persistence by modifying `.claude/settings.json` to inject commands into SessionStart hooks. The compromised binary connects to a command-and-control server at 207.90.194.2:443, from which it harvests sensitive data.

The attack is designed to exfiltrate environment variables, Git repository contents, and system information from the `/proc/` directory, enabling theft of credentials, API keys, and other secrets common in development environments. The targeting of Claude Code hooks represents a sophisticated persistence technique, as these hooks are trusted mechanisms within the development workflow, making detection significantly harder. Organizations using npm packages in their development pipelines face immediate risk and should audit dependencies for the identified malicious packages while reviewing `.claude/settings.json` files for unauthorized hook configurations.