Hackers Are Posting the Claude Code Leak With Bonus Malware

Customs and Border Protection may want to remember to protect its sensitive facility information.

Using basic Google searches, WIRED discovered flashcards made by users of the online learning platform Quizlet that contained gate codes to CBP facilities and more.

In a rare move, Apple this week released “backported” patches for iOS 18 to protect millions of people still using the older operating system from the DarkSword hacking technique that was found in use in the wild.

Discovered in March, DarkSword allows attackers to infect iPhones that simply visit a website loaded with the takeover tools embedded in it.

Apple initially pushed users to update to the current version of its operating system, iOS 26, but ultimately issued the iOS 18 patches after DarkSword continued to spread.

The US-Israel war with Iran careened into its second month this week, with Iran threatening to launch attacks against more than a dozen US companies , including tech giants like Apple, Google, and Microsoft, which have offices and data centers in the Gulf region.

The deadly conflict, which has no clear end in sight, continues to wreak havoc on the global economy as shipping crews remain stranded in the Strait of Hormuz , a key trade route.

Meanwhile, some are beginning to wonder what could happen if US strikes cause real damage to Iran’s nuclear facilities .

And that’s not all!

Each week, we round up the security and privacy news we didn’t cover in depth ourselves.

Click the headlines to read the full stories.

And stay safe out there.

Earlier this week, a security researcher flagged that Anthropic accidentally made the source code for its popular vibe-coding tool, Claude Code, public.

Immediately, people began reposting the code on the developer platform GitHub.

But beware if you want to try to download some of those repos yourself: BleepingComputer reports that some of the posters are actually hackers who have tucked a piece of infostealer malware into the lines of code.

Hack of FBI Wiretap Tools Are Officially a National Security Risk
The FBI formally classified a recent cyber intrusion into one of its surveillance collection systems as a “major incident” under FISMA —a legal designation reserved for breaches believed to pose serious risks to national security.

The determination, reported to Congress earlier this week , is understood to be the first time since at least 2020 that the bureau has declared a major incident on its own systems.

Politico, citing two unnamed senior Trump administration officials, reported that China is believed to be behind the intrusion.

If confirmed, the breach could mark a significant counterintelligence failure for the FBI.

The FBI said it detected “suspicious activities” on its networks in February .

In a notice to Congress on March 4, reviewed by Politico, the bureau said the compromised systems were unclassified and held “returns from legal process,” citing, as examples, phone and internet metadata collected under court orders and personal information “pertaining to subjects of FBI investigations.” The intruders reportedly gained access through a commercial internet service provider, an approach the FBI characterized as reflecting “sophisticated tactics.” In its only public statement, the bureau said it had deployed “all technical capabilities to respond.”
The breach adds to what has become a pattern of hackers, most if not all foreign, penetrating the FBI's own systems and surveillance infrastructure.

In 2023, a foreign hacker accessed files from the bureau's Epstein investigation through an exposed forensic lab server.

Last month, Iranian-linked hackers compromised FBI Director Kash Patel's personal email .

The Salt Typhoon campaign , uncovered in 2024, saw Chinese hackers burrow into at least eight domestic telecom and internet service providers—exploiting the carrier side of the same surveillance infrastructure believed to be at issue in the current breach.

The FBI acknowledged last year that Salt Typhoon had compromised at least 200 companies across 80 countries, and researchers said it showed no signs of slowing down.

How a 22-Year-Old College Student Helped Take Down a Record-Breaking Botnet
Two weeks ago, US law enforcement announced a landmark takedown of four interrelated botnets—massive collections of computers hijacked with malware to do a hacker’s bidding—that were known by the names Aisuru, Kimwolf, JackSkid, and Mossad.

The Aisuru and Kimwolf botnets in particular had carried out some of the biggest so-called distributed denial-of-service cyberattacks in history, using hordes of hacked internet-of-things devices to bombard victims with junk traffic.

$280 Million Stolen From Drift Crypto Platform, Likely by North Korean Hackers
Given the rate at which the cryptocurrency industry’s insecurity has funded the authoritarian regime of Kim Jong Un in recent years, 2026 was overdue for a large-scale North Korean crypto theft.

Now, the decentralized finance platform Drift has conceded that $280 million was stolen from the company in a cybersecurity breach.

Crypto-tracing firm Elliptic pointed the finger at North Korean hackers for the intrusion based on clues in their interactions with the blockchains of the stolen crypto as well as their “laundering methodologies and network-level indicators.” In total, Elliptic says that North Korean hackers have stolen close to $300 million this year, the vast majority of which was taken in this latest theft.

As huge as that heist may be, the country’s hackers still aren’t quite on track to beat the $2 billion in crypto they stole in total last year.

Cisco Source Code Stolen in Software Supply Chain Breach Spree
Cybersecurity news outlet Bleeping Computer reported this week that Cisco had been the latest victim of a software supply chain hacking spree, which has now resulted in the theft of portions of the company’s source code and that of some of its customers.

The breach appears to be the work of the TeamPCP hacker group, which has compromised multiple pieces of security software with its own malicious code, then used their access from that malware to steal user credentials.

In this case, Cisco’s credentials were reportedly stolen via the compromise of the vulnerability scanner software Trivy, which then allowed the hackers to access Cisco’s developer environments.

The Cisco breach is just the most recent in a string of supply chain attacks that TeamPCP has carried out to spread its infostealer malware, including via the LiteLLM AI software and the security software CheckMarx.