Security vulnerabilitty found in axios. Is claude code affected?

Resolved 💬 3 comments Opened Mar 31, 2026 by verschmelzen Closed Apr 2, 2026

Original security report: https://github.com/axios/axios/issues/10604

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

https://github.com/axios/axios/issues/10611

Trojan exploit currently being uncovered at the axios repo. From quick inspection of files from npm and issues on this repo it seems that axios might be used here.

Could you clarify if axios is used in claude-code and if yes, which version? Is claude-code affected?

Check performed:

cd /tmp
  npm pack @anthropic-ai/claude-code
  tar xzf anthropic-ai-claude-code-*.tgz
  grep -r "axios" package/ --include="*.js" -l

output:

npm notice
npm notice 📦  @anthropic-ai/claude-code@2.1.87
npm notice Tarball Contents
npm notice 147B LICENSE.md
npm notice 2.0kB README.md
npm notice 596B bun.lock
npm notice 13.0MB cli.js
npm notice 1.2kB package.json
npm notice 116.9kB sdk-tools.d.ts
npm notice 439.1kB vendor/audio-capture/arm64-darwin/audio-capture.node
npm notice 458.8kB vendor/audio-capture/arm64-linux/audio-capture.node
npm notice 447.5kB vendor/audio-capture/arm64-win32/audio-capture.node
npm notice 431.3kB vendor/audio-capture/x64-darwin/audio-capture.node
npm notice 494.5kB vendor/audio-capture/x64-linux/audio-capture.node
npm notice 492.5kB vendor/audio-capture/x64-win32/audio-capture.node
npm notice 4.4MB vendor/ripgrep/arm64-darwin/rg
npm notice 5.2MB vendor/ripgrep/arm64-linux/rg
npm notice 3.9MB vendor/ripgrep/arm64-win32/rg.exe
npm notice 126B vendor/ripgrep/COPYING
npm notice 5.2MB vendor/ripgrep/x64-darwin/rg
npm notice 6.6MB vendor/ripgrep/x64-linux/rg
npm notice 5.4MB vendor/ripgrep/x64-win32/rg.exe
npm notice Tarball Details
npm notice name: @anthropic-ai/claude-code
npm notice version: 2.1.87
npm notice filename: anthropic-ai-claude-code-2.1.87.tgz
npm notice package size: 17.4 MB
npm notice unpacked size: 46.6 MB
npm notice shasum: 7727a2e69353a24eb9adf89b6134fd207c086a2a
npm notice integrity: sha512-R40p85lv270Ms[...]t5CDw++tKZD0g==
npm notice total files: 19
npm notice
anthropic-ai-claude-code-2.1.87.tgz
package/cli.js

What Should Happen?

Clarify if axios is being used here. And if any of the claude-code versions are effected by the exploit

https://github.com/axios/axios/issues/10611

Error Messages/Logs

Steps to Reproduce

Provided checks i pervormed above

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

unknown

Platform

Anthropic API

Operating System

Other

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗