ProductUS

Claude Code

Anthropic's AI-powered coding assistant; its configuration file, containing authentication tokens, was harvested by the malicious Nx Console payload.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

Why did attackers target Claude Code configuration in the GitHub supply-chain breach?

Timeline for Claude Code

#518 May

Mentioned in: GitHub's own code cloned via add-on

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Was Claude Code compromised in the GitHub Nx Console breach?: Claude Code itself was not compromised. The local configuration files of a GitHub employee who had Claude Code installed were among the credentials harvested by the trojanised Nx Console extension running on their machine.Source: GitHub incident disclosure
What is Claude Code used for?: Claude Code is a command-line agentic coding assistant that can read and write files, execute Shell commands, manage git repositories, and interact with external tools within a developer's project environment.Source: Anthropic documentation
How should developers protect AI coding tool credentials from malware?: Security guidance after the May 2026 breach recommended hardware-key-backed authentication, minimal persistent local credentials, and strict endpoint security controls to prevent credential-stealing malware from accessing agentic tool sessions.Source: NCSC developer security guidance

Background

Claude Code's local configuration files were among the developer credentials exfiltrated during the May 2026 Nx Console supply-chain attack. The trojanised Nx Console extension (v18.95.0), live on the Visual Studio Marketplace for 18 minutes on 18 May 2026, harvested a range of developer secrets from the infected machine, including 1Password vaults, GitHub tokens, AWS credentials, npm tokens, and Claude Code configuration. The incident illustrates that agentic coding tools, which may hold authenticated sessions and persistent context, represent a new credential-theft surface alongside traditional secrets such as API keys and SSH credentials.

Claude Code is a command-line coding assistant that operates with agentic capabilities: it can read and write files, execute Shell commands, manage git repositories, and call external tools within a project context. It authenticates against cloud model APIs and may cache session state, authentication tokens, and project-level configuration locally. Like any locally authenticated developer tool, its configuration directory can be targeted by credential-stealing malware operating at the OS user level.

The inclusion of Claude Code configuration in the Nx Console exfiltration payload reflects the broader attacker interest in developer-machine credential harvesting rather than any vulnerability in the tool itself. The May 2026 incident contributed to practitioner discussion about the credential hygiene implications of agentic tooling and the need for hardware-key-backed or ephemeral authentication models for AI coding assistants handling sensitive repositories.

Source Material

Claude Code – Anthropic

How the World Sees Them

United States

The harvesting of agentic tool credentials alongside traditional API keys prompted US security practitioners to reconsider credential-isolation practices for AI coding assistants on developer machines.

European Union

EU data-protection practitioners noted that agentic tools with persistent local context may hold conversation history and project context that warrants treatment as sensitive personal or corporate data.

United Kingdom

NCSC developer-security guidance was updated after the breach; inclusion of agentic tool config in the exfiltration list expanded the scope of 'developer secrets' beyond SSH keys and tokens.