{"campaign":{"name":"Claude Code Hook Backdoors","slug":"claude-code-hook-backdoors","href":"/ti/campaigns/claude-code-hook-backdoors","description":"Five npm packages (iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, ms-graph-types) that abuse Claude Code hooks to backdoor AI coding sessions.","objective":"Backdoor developer AI coding sessions via Claude Code hooks.","aliases":[],"discovered_at":"2026-05-13"},"packages":[{"ecosystem":"npm","name":"iceberg-javascript","href":"/ti/packages/npm/iceberg-javascript","threat_types":["rat","persistence"],"versions":["0.8.2"]},{"ecosystem":"npm","name":"supabase-javascript","href":"/ti/packages/npm/supabase-javascript","threat_types":["rat","persistence"],"versions":["2.98.3"]},{"ecosystem":"npm","name":"auth-javascript","href":"/ti/packages/npm/auth-javascript","threat_types":["rat","persistence"],"versions":["0.0.17"]},{"ecosystem":"npm","name":"microsoft-applicationinsights-common","href":"/ti/packages/npm/microsoft-applicationinsights-common","threat_types":["rat","persistence"],"versions":["3.4.2"]},{"ecosystem":"npm","name":"ms-graph-types","href":"/ti/packages/npm/ms-graph-types","threat_types":["rat","persistence"],"versions":["2.43.2"]}],"indicators":[{"kind":"ipv4","value":"207.90.194.2","href":"/ti/ioc/ipv4/207.90.194.2","context":"IP address indicator from blog post"},{"kind":"sha1","value":"8daaa2003784a92f4761ed3c9d5560ef8cf4bffa","href":"/ti/ioc/sha1/8daaa2003784a92f4761ed3c9d5560ef8cf4bffa","context":"SHA-1/commit-like hash from blog post"},{"kind":"md5","value":"b604b21749a396111bb111d46d97b1c4","href":"/ti/ioc/md5/b604b21749a396111bb111d46d97b1c4","context":"MD5 hash from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Steal Web Session Cookie","mitre_attack_id":"T1539","href":"/ti/ttps/T1539"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Web Service","mitre_attack_id":"T1102","href":"/ti/ttps/T1102"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"}],"related_campaigns":[],"reports":[{"title":"Malicious npm Packages Backdoor Claude Code Sessions","url":"https://safedep.io/malicious-npm-packages-claude-code-hooks","published_at":"2026-05-13"}]}