Three signals arrived in the same 48-hour window: a supply chain attack purpose-built to steal files from Anthropic's Claude AI environment, a new CrowdStrike integration designed to bring Claude audit data into the SOC, and a detailed risk catalogue warning that Claude has become "your employees' operating system" without most security teams noticing. Taken together, they describe a platform that has crossed the threshold from productivity tool to enterprise attack surface - and an industry scrambling to govern what it already deployed.
The First Claude-Targeted Supply Chain Attack
OX Security researchers disclosed a malicious npm package called mouse5212-super-formatter that specifically targets /mnt/user-data, the local directory Anthropic's Claude uses to handle uploads and outputs. 1Malicious npm Package Stole Files From Claude AI User Directory via GitHub The package masquerades as an internal "archive deployment sync" utility. In reality, it authenticates to GitHub during the postinstall stage - using either a stolen or hard-coded token - creates a repository if one does not exist, and recursively uploads every file from the Claude data directory to a threat actor-controlled GitHub account. 1Malicious npm Package Stole Files From Claude AI User Directory via GitHub
The package was downloaded approximately 676 times before discovery, and the GitHub account linked to the campaign was created just hours before the first malicious version was uploaded. 1Malicious npm Package Stole Files From Claude AI User Directory via GitHub The threat actor leaked their own GitHub private token in the package - a lapse that OX attributes to the likelihood that AI was used to generate the malware without adequate operational security review. OX has codenamed the activity "Malware-Slop," a term that may prove prescient: as the barrier to writing malicious code drops, expect more low-skill actors targeting AI-specific directories and workflows.
This is notable not for its sophistication but for its specificity. Attackers are no longer treating AI tools as generic software. They are building malware that targets the unique file structures and data flows of specific AI platforms.
CrowdStrike Brings Claude into the SOC
The same week, CrowdStrike announced an integration between Anthropic's Claude Compliance API and the Falcon platform. 2New Claude Integration Brings Audit Data into the Falcon Platform The integration ingests Claude authentication events, user activity logs, administrative changes, and API usage into Falcon Next-Gen SIEM, where they can be correlated with endpoint, identity, cloud, and third-party telemetry.
The goal is straightforward: AI is among the fastest-growing and most privileged application categories in the enterprise, yet it remains one of the least visible to security teams, according to CrowdStrike. 2New Claude Integration Brings Audit Data into the Falcon Platform Without centralized visibility, organizations face blind spots in incident response, compliance reporting, and insider threat programs.
CrowdStrike's Charlotte Agentic SOAR can act on Claude-derived signals automatically - creating enriched cases, correlating suspicious authentication patterns with threat intelligence, and escalating high-confidence incidents without manual intervention. 2New Claude Integration Brings Audit Data into the Falcon Platform The integration represents an acknowledgment by both Anthropic and CrowdStrike that Claude deployments now require the same audit infrastructure as any other enterprise application.
Six Risks Hiding in Plain Sight
A detailed risk analysis published by the Cloud Security Alliance, originally authored by Akto, catalogues the specific attack surface Claude creates when adoption outpaces oversight. 3Top 6 Claude Security Risks to Watch as AI Becomes Your Employees' Operating System Several findings stand out:
Shadow usage is pervasive. Developers feed proprietary source code into Claude to accelerate refactoring. Finance analysts run revenue projections through Cowork. Legal teams iterate on contract language alongside confidential deal terms. In most cases, IT was never consulted, and no acceptable use policy exists. 3Top 6 Claude Security Risks to Watch as AI Becomes Your Employees' Operating System
Claude Projects are unmonitored data stores. Enterprise Projects allow teams to upload documents, share access, and connect external data sources. Most organizations cannot answer basic questions about which documents have been uploaded to Claude Projects, who has access, or which connectors are active - creating enterprise-grade risk with consumer-grade visibility. 3Top 6 Claude Security Risks to Watch as AI Becomes Your Employees' Operating System
The code Claude writes is frequently insecure. Veracode testing found that in 52% of coding tasks, Claude's Opus 4.7 model produced code containing a vulnerability - compared to roughly 30% for OpenAI's models. 3Top 6 Claude Security Risks to Watch as AI Becomes Your Employees' Operating System Less experienced developers are unlikely to catch these flaws, and insecure AI-generated code is already reaching production unreviewed.
The tool itself has had critical flaws. Check Point Research discovered vulnerabilities in Claude Code (CVE-2025-59536, CVE-2026-21852) where simply opening a malicious repository could trigger hidden command execution on a developer's machine. 3Top 6 Claude Security Risks to Watch as AI Becomes Your Employees' Operating System A stolen API key from one compromised developer could provide access to an entire team's shared resources.
Agent skills are a new supply chain vector. Snyk audited nearly 4,000 agent skills and found over a third had at least one security flaw, while the ClawHavoc campaign seeded hundreds of malicious skills across platforms. 3Top 6 Claude Security Risks to Watch as AI Becomes Your Employees' Operating System Traditional scanners cannot catch prompt-injection payloads hidden in plain-language instructions.
What Organizations Should Do Now
The convergence of these signals - active supply chain attacks, new audit tooling, and a broadening risk catalogue - points to a clear set of priorities for security teams.
Looking Ahead
Claude's trajectory mirrors what happened with cloud adoption a decade ago: rapid deployment driven by productivity gains, followed by a scramble to retrofit governance, visibility, and access controls. The difference is speed. Claude's capabilities - file access, shell execution, MCP connectors, autonomous collaboration - expanded faster than most security architectures could adapt.
The npm attack this week was sloppy, likely AI-generated, and caught relatively quickly. The next one may not be. Organizations that treat Claude as just another chat tool rather than privileged enterprise infrastructure are building a structural deficit that compounds with every ungoverned deployment.
