Security

When the Claude Code source code leaked on March 31, 2026 via a poorly secured npm .map file, most attention focused on the embarrassment for Anthropic. Less discussed: the malware campaigns that were already being built on top of that leak within hours. As of today, threat actors are actively distributing Vidar infostealer malware and GhostSocks proxy through fake GitHub repositories designed to look like legitimate Claude Code forks. If you’ve been searching for Claude Code on GitHub in the last 48 hours, you may have encountered these repos. ...

The Claude Code source code leak of March 31, 2026 created an immediate security hazard: threat actors began distributing Vidar infostealer malware through convincing fake GitHub repositories within 24 hours. If you’ve cloned any Claude Code fork from an unofficial source since then, this guide is for you. This is a practical, step-by-step walkthrough for: Verifying whether you downloaded a legitimate or fake Claude Code repo What to do if you ran a malicious installer How to protect yourself going forward Step 1: Verify the Repository You Downloaded Check the GitHub organization The only legitimate Claude Code repository is under the official Anthropic GitHub organization: ...

The open-source AI agent framework that conquered the internet in four months is now facing its most serious security reckoning yet. A comprehensive study published March 31 by Web3 security firm CertiK paints a stark picture: OpenClaw has accumulated over 100 CVEs and 280 security advisories since its release, with more than 135,000 internet-exposed instances actively leaking credentials — and a malware-infested skills marketplace that’s quietly targeting user wallets. The Architectural Problem Nobody Wanted to Talk About OpenClaw was originally designed for trusted local environments. You ran it on your laptop, it had access to your files and accounts, and that was fine because it was your machine. ...

The CertiK study published today identified 135,000 internet-exposed OpenClaw instances with systemic security failures: authentication disabled, API keys in plaintext, malware in the skills store. Most of those deployments weren’t the result of malicious intent — they were the result of setting up OpenClaw following the default quick-start guide and then opening it to the internet. This guide is the one you should follow instead. It covers a complete, production-grade VPS deployment of OpenClaw v2026.4.1 with the security hardening necessary to run it safely on a public-facing server. ...

Security researchers at Unit 42, Palo Alto Networks’ threat intelligence division, have disclosed a critical vulnerability in Google Cloud’s Vertex AI Agent Engine that allowed a misconfigured agent to operate as a “double agent” — appearing to perform its intended function while simultaneously exfiltrating customer data and Google’s own internal source code. The flaw was confirmed across multiple independent security sources and represents one of the most tangible examples yet of what happens when least-privilege principles are abandoned in the rush to deploy agentic AI infrastructure. ...

Sometimes the most revealing leaks aren’t the ones attackers engineer — they’re the ones that happen because someone forgot to add a line to .npmignore. That’s exactly what happened with Anthropic’s Claude Code v2.1.88. A developer named Chaofan Shou noticed that the npm package included a file it really, really shouldn’t have: main.js.map — a source map that, by design, contains a complete reconstruction of the original source code. By the time Anthropic patched it, GitHub mirrors had already spread. The community had 512,000 lines of TypeScript to dig through, and dig they did. ...

Security researcher Yarden Porat at Cyata published findings this week that should be required reading for anyone running CrewAI in production: four critical CVEs, chainable via prompt injection, that allow attackers to escape Docker sandboxes and execute arbitrary code on the host machine. CERT/CC issued advisory VU#221883. Patches are available. What Was Found Porat’s research identified four vulnerabilities in CrewAI that can be chained together: CVE-2026-2275 — The initial vector: a prompt injection flaw that allows malicious content in agent inputs to manipulate how CrewAI processes tool calls. Normally, tool calls are structured, validated operations. This CVE allows crafted input to make the framework treat attacker-controlled content as legitimate tool invocations. ...

RSAC 2026 is where the agentic AI security conversation got serious, and the number that defined it was 500,000. That’s the estimated count of internet-facing OpenClaw instances identified by security researchers — a deployment footprint that arrived faster than the security tooling needed to manage it. VentureBeat’s analysis at the conference laid out an uncomfortable reality: half a million instances, three unpatched high-severity CVEs, and no mechanism for fleet-wide patching or emergency shutdown. ...

OpenClaw shipped v2026.3.31 on March 31st, and it’s one of the more substantive releases in recent months. Three security fixes over the prior stable version (v2026.3.28), a rethought approach to background task management, and two new platform integrations — including one that opens the China market. If you’re running OpenClaw in production, this release warrants a careful read before you upgrade. The Security Story: Trust Is No Longer Automatic The headline change in v2026.3.31 is a security model overhaul that makes implicit trust explicit across the stack. ...

A carefully crafted malicious prompt could turn an ordinary ChatGPT conversation into a covert data exfiltration channel — silently leaking your messages, uploaded files, and AI-generated summaries without any warning. Check Point Research published full technical details on March 31, 2026 of a vulnerability that OpenAI patched on February 20, 2026. The Architecture of a Silent Exfiltration ChatGPT runs code in a sandboxed Linux environment with outbound web controls designed to prevent unauthorized data sharing. The controls block direct HTTP/HTTPS requests — but the researchers discovered a critical gap: DNS lookups were not subject to the same outbound restrictions. ...