Claude Code spotted hidden malware before a repo merge

Claude Code was running with the Opus model to clean up and merge branches across several . During one merge, it stopped because the incoming commit appeared to contain malware, then refused to merge or build it. The harmful code was one obfuscated block added to the end of next.config.js, after module.exports.

Next.js runs that file during every build, so the code could have run during the next local build or CI build. Claude identified the change from the diff as an EtherHiding loader and reverse engineered the payload without running it. The exact entry point could not be confirmed, but the likely path was an infected contractor machine used for normal repo work through Upwork.

The suspected campaign usually starts with a malicious that runs code during install, then spreads by reading cached git on the infected machine and pushing into those can access.

Key points

  • Claude Code stopped a branch merge after detecting malware in the incoming commit.
  • The suspicious code was hidden as an obfuscated block inside next.config.js.
  • Because Next.js runs that file on builds, the malware could have run in CI.
  • Claude labeled it as an EtherHiding loader and analyzed it without executing it.
  • The likely source was an infected contractor machine, possibly through a malicious .
Read original