Which versions of anthropic-toolkit are malicious?

The following npm versions of anthropic-toolkit are flagged malicious: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, and 1 more. Treat any of these as compromised.

How do I remediate anthropic-toolkit if I installed it?

anthropic-toolkit is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed anthropic-toolkit — how do I know if it already compromised me?

If anthropic-toolkit was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

How do I find anthropic-toolkit across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for anthropic-toolkit (21 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging anthropic-toolkit across your stack and pipelines.

Malicious package

anthropic-toolkitnpm

Malicious code in anthropic-toolkit (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6673

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall anthropic-toolkit

What this malware does

[email protected] is a typosquat against the @anthropic-ai/sdk ecosystem. The package ships no library code — its declared main (dist/index.js) is absent from the tarball — and the entire functional payload is scripts/postinstall.js, which runs automatically on npm install. On install the script collects host and user identifiers (os.hostname(), os.userInfo(), os.platform(), cwd), parses ~/.gitconfig and ~/.config/git/config for user.email, walks .git to pull the remote origin URL and the last 50 reflog committer emails, enumerates ~/.ssh/*.pub to extract key-comment emails, reads ~/.aws/config for profile names, reads ~/.config/gh/hosts.yml for the authenticated GitHub user, reads ~/.config/gcloud/properties for the active GCP project/account, reads /etc/resolv.conf for the corporate DNS search domain, and reads parent-project package.json metadata plus CI provider env. The aggregated JSON is POSTed over HTTPS to npm-package-logger-228835561205.europe-west1.run.app. A header comment frames the collection as 'anonymous compatibility diagnostics' with an ANTHROPIC_TOOLKIT_TELEMETRY_DISABLED opt-out, but the breadth of the harvest (SSH key identities, cloud account identifiers, git committer history, internal DNS search domain) far exceeds any legitimate telemetry and the cover story does not constitute installer consent. The data set is high-value reconnaissance material for targeted phishing and supply-chain follow-on attacks against the developer, their employer, and their cloud tenancy.

Malicious versions

21 flagged

0.1.00.1.10.2.00.2.10.3.00.3.10.4.00.4.10.5.00.5.10.6.00.7.00.8.00.9.01.0.01.0.11.1.01.1.11.2.01.2.11.3.0

Indicators of compromise (SHA-256)

047000077a5181c5394d7caec1a5d27e71dc984396e951e2b83985b1f9b20989

49b0519f55b08c13567aec6a38dc2a7e0226d22a37885c86e609f03f7e99eaee

4a3490eb87ca9c29a8febbb5e5a13ff067cce445eb4ddccaefd462a067da0742

65a6ab4cc1aa0cb57baa92acaf3ee25793f33ba8ab053a9eb065c7692723dfca

6eff9920c4daa41936562f9a40baf01463fa50ce81f28ff9b0750fd157f4aec6

93f1e4b3b2d59ed3c4961ded435de21add69b43492ec5d12b625a9b6c50edc72

bcb08c0e2f8d02016153046061d99e4956ea06f8a3e7ec032863c35b639c394e

c8ef319a04814111a56265898f4441a094c31af07f27e8799c36d8323888cc8c

da8c70a3ea2062cc2675d513e63ee119544895d9ebffa72a255b83326a66527f

90ec82c6478e3a82eac71597b1c1fffc17d1b138e11e1a2aeadec7c00344c65e

ce5db7f45902f47128033a6e72f319c6d1db5c50af89a56171059d6cba63b3af

d0556d6c7695c25e1ba024658bbbdb3d3dc2f862e7704a96301645e20c371918

e00a2fee936768a863daa63514f93ce988b0bf4a154448df6709dbb39324f137

eb89991180df01be474a7d386bf599070ae78f7a2793b7a9d7b428997a3e4148

2de800cc5c674cf797a810aaf04324205058cdb92615414848b0bf30f03d0c1e

3bf9ce166567774f15e4dbe914878ea465351416e804bd5eedf566a469df84d0

4b11ad577e38504a6a2dab206a5fe447c79cb6a7dc6eee653e66eb62aca05155

6592f287e72699e5cc617f0a960cef0104c0cd4f5fcf1348e93f27eb8af379b5

fbd0be5a1ce1ee9b06cac5758a87c3caaefab5685bb5dfc2d7f8521f957ee64d

265a6c7912ef2328d01ac6fb184ba2a08a337f46bf486a4b4ab305660cc6c5fe

929f863e5a330785ad4e1f191d59859763f56faa1039834d0224615aa5dd7af4

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for anthropic-toolkit (21 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging anthropic-toolkit across your stack and pipelines.
If you installed it — respond
anthropic-toolkit is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If anthropic-toolkit was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks anthropic-toolkit before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. anthropic-toolkit on npm has been identified as a malicious package (versions 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, and 13 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007787IN-MAL-2026-007801IN-MAL-2026-007786IN-MAL-2026-007792IN-MAL-2026-007797IN-MAL-2026-007788IN-MAL-2026-007789IN-MAL-2026-007798IN-MAL-2026-007803IN-MAL-2026-007793IN-MAL-2026-007805IN-MAL-2026-007802IN-MAL-2026-007790IN-MAL-2026-007796IN-MAL-2026-007791IN-MAL-2026-007799IN-MAL-2026-007785IN-MAL-2026-007794IN-MAL-2026-007800IN-MAL-2026-007795IN-MAL-2026-007804

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks anthropic-toolkit-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring