This Week in Cybersecurity: Claude Code Leaked, EU Commission Hit, and 29 Million Secrets Exposed

This Week in Cybersecurity: Claude Code Leaked, EU Commission Hit, and 29 Million Secrets Exposed on GitHub

A weekly roundup of the most significant cybersecurity stories from around the globe.

The cybersecurity landscape continues to evolve at breakneck speed, and this past week delivered no shortage of headline-making incidents. From a major source code leak at one of the world’s leading AI companies to state-sponsored phishing campaigns and municipal ransomware attacks, defenders had plenty to keep them busy. Here’s your comprehensive breakdown of the stories that mattered most.

1. Claude Code Source Inadvertently Leaked via npm Packaging Error

Anthropic confirmed on Tuesday that internal source code for its popular AI coding assistant, Claude Code, was accidentally published to npm due to a human packaging error. Version 2.1.88 of the Claude Code npm package contained a source map file that exposed nearly 2,000 TypeScript files and over 512,000 lines of code. Security researcher Chaofan Shou was the first to publicly flag the issue on X (formerly Twitter). Anthropic swiftly pulled the affected version and stated that no customer data or credentials were exposed, describing it as a “release packaging issue caused by human error, not a security breach.” Still, the incident raises serious questions about supply chain integrity for AI developer tools and the adequacy of npm publishing safeguards at major technology companies. Anthropic says it is rolling out measures to prevent recurrence, but the damage to confidence in their release processes may take longer to repair.

2. CERT-UA Impersonation Campaign Distributes AGEWHEEZE Malware to One Million Targets

Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed a sophisticated phishing campaign in which attackers impersonated the agency itself. Tracked as UAC-0255, the threat actors sent emails on 26-27 March 2026 posing as CERT-UA, distributing a password-protected ZIP archive masquerading as “specialized security software.” The archive, hosted on Files.fm, delivered a Go-based remote access trojan codenamed AGEWHEEZE. The target list was expansive: state organisations, medical centres, security companies, educational institutions, financial institutions, and software development firms. Some fraudulent emails originated from the domain “cert-ua[.]tech,” a deliberate impersonation of the legitimate agency. CERT-UA urged all organisations to verify the authenticity of any communications claiming to originate from the agency and to avoid executing attachments from unverified sources. The scale of this campaign—reaching approximately one million email addresses—underscores the growing trend of threat actors hijacking the identities of trusted security institutions to maximise their reach and effectiveness.

3. FBI Issues Warning Against Chinese Mobile Applications

The U.S. Federal Bureau of Investigation issued a formal warning to American citizens this week, advising against the use of foreign-developed mobile applications, with particular emphasis on those created by Chinese developers. The FBI cited significant data privacy and national security risks, noting that such applications may collect excessive personal information, share data with foreign intelligence services, and lack meaningful transparency about their data handling practices. This warning aligns with broader geopolitical tensions around technology supply chains and echoes similar advisories from other Five Eyes intelligence alliance members. The FBI’s public stance reflects growing concern that consumer mobile applications represent an underappreciated vector for intelligence collection and corporate espionage at scale.

4. European Commission Hit by Cyberattack on Cloud Infrastructure

The European Commission confirmed on 27 March that a cyberattack had struck the cloud infrastructure hosting the Europa web platform on 24 March 2026. The Europa portal serves as the primary public-facing website for the European Union, providing access to information about EU policies, institutions, and legislative processes. While the full scope of the incident remains under investigation, the attack on such a high-profile government platform highlights the persistent threat facing public sector digital infrastructure across Europe. The Commission has not yet attributed the attack to any specific threat group, and it is unclear whether citizen data was compromised. The incident comes amid heightened tensions around state-sponsored cyber operations targeting European government entities and critical infrastructure.

5. HackerOne Discloses Breach Involving Third-Party System

HackerOne, one of the world’s largest bug bounty and vulnerability coordination platforms, disclosed a data breach involving a third-party system that exposed employee personal data. The irony of a security-focused company suffering a breach was not lost on the cybersecurity community. While the company stated that no vulnerability data submitted by researchers was compromised, the exposure of employee personal information represents a reputational and operational risk. The incident highlights the persistent challenge of securing extended supply chains—even organisations dedicated to security are only as strong as their weakest vendor link. HackerOne says it has taken steps to secure the affected third-party system and is notifying impacted employees.

6. Yanluowang Ransomware Operator Sentenced to 81 Months in Prison

In a significant victory for law enforcement, Aleksei Volkov was sentenced to 81 months in federal prison for his role in Yanluowang ransomware attacks. Yanluowang was a prolific ransomware operation that targeted organisations across multiple sectors, employing double-extortion tactics by both encrypting victim systems and threatening to publish stolen data. Volkov’s sentencing sends a clear message to the ransomware ecosystem that international law enforcement cooperation is producing tangible results. The case also reflects the growing sophistication of attribution efforts by agencies including the FBI, Europol, and their international partners. While the sentence is substantial, the ransomware landscape continues to evolve with new groups constantly emerging to fill vacuums left by disrupted operations.

7. 29 Million Hardcoded Secrets Discovered on GitHub in 2025

GitGuardian’s annual State of Secrets Sprawl 2026 report revealed a staggering figure: 29 million new hardcoded secrets were found in public GitHub commits during 2025 alone—a 34% year-over-year increase and the largest single-year jump ever recorded. The secrets include API keys, database credentials, cloud service tokens, encryption keys, and authentication certificates. The continued proliferation of secrets in source code represents one of the most pervasive yet underappreciated risks in modern software development. Despite advances in secret scanning tools and pre-commit hooks, developers continue to inadvertently commit sensitive credentials to public repositories, where automated tools harvest them within minutes. GitGuardian’s findings suggest that the problem is worsening despite increased awareness, driven by the explosive growth in software development activity and the complexity of modern CI/CD pipelines.

8. CISA Orders Emergency Patching of Actively Exploited Citrix NetScaler Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency binding operational directive ordering all federal civilian agencies to patch their Citrix NetScaler appliances against an actively exploited vulnerability. The agency set a deadline of Thursday for compliance, signalling the severity of the threat. Citrix NetScaler devices are widely deployed in enterprise environments for application delivery, load balancing, and VPN services, making them high-value targets for threat actors. Active exploitation in the wild means that the window for patching is effectively closed—organisations running unpatched NetScaler appliances should assume they are already being targeted. CISA’s emergency directive applies to federal agencies but serves as an urgent warning to private sector organisations running the same infrastructure.

9. Ransomware Claims Hit 7,655 Across 129 Groups in Past Year

A comprehensive analysis by CipherCue revealed that 7,655 ransomware victim claims were posted across dark web leak sites by 129 distinct ransomware groups between March 2025 and March 2026. The victims spanned 141 countries, demonstrating the truly global reach of the ransomware ecosystem. The data paints a picture of a maturing criminal industry with deep specialisation: some groups focus exclusively on specific sectors, others operate as ransomware-as-a-service platforms, and many have evolved from simple encryption attacks to sophisticated multi-extortion operations involving data theft, DDoS attacks, and regulatory reporting threats. The sheer volume of claims suggests that the actual number of attacks is likely far higher, as many victims negotiate quietly or never report incidents at all.

10. Illicit Cryptocurrency Addresses Received $154 Billion in 2025

The cryptocurrency crime landscape reached an unprecedented milestone in 2025, with illicit cryptocurrency addresses receiving at least $154 billion, according to blockchain analysis firms. The figure encompasses proceeds from ransomware payments, fraud schemes, darknet market transactions, stolen funds, and sanctions evasion. While blockchain’s transparency makes it possible to trace these flows, the rapid evolution of mixing services, cross-chain bridges, and privacy-focused protocols continues to complicate law enforcement efforts. The $154 billion figure represents a dramatic escalation from previous years and underscores the deepening intersection between traditional cybercrime and the cryptocurrency ecosystem. Security professionals increasingly need blockchain forensic capabilities as part of their incident response toolkits.

Looking Ahead

This week’s stories reinforce several persistent themes in cybersecurity: the expanding attack surface created by AI tools and cloud infrastructure, the weaponisation of trusted identities and platforms by threat actors, the critical importance of timely patching, and the growing scale of both state-sponsored and criminal cyber operations. For defenders, the message is clear—vigilance, automation, and supply chain security are no longer optional investments but existential necessities. Stay safe out there.