Two supply chain events converged within 48 hours: Anthropic’s Claude Code npm v2.1.88 exposed ~512,000 lines of internal TypeScript source via embedded source maps (intellectual property and security posture leak), while a trojanized Axios dependency reportedly delivered a cross-platform RAT during a ~3-hour window on 2026-03-31. Organizations that updated Claude Code during that UTC window should treat affected developer workstations and CI/CD nodes as potentially compromised, rotate all accessible credentials, and reimage hosts showing active compromise indicators. No CVEs are currently assigned; all source reporting is T3 pending official Anthropic and Axios advisories.