Attacker embeds Claude Code in mass credential harvesting op

An unnamed threat actor has succesfully incorporated Anthropic's Claude Code AI coding assistant into their workflow in order to run a massive credential harvesting operation, researchers have found.

Microsoft principal security researcher Zach Stanford and Palo Alto Network's Unit 42 technical director Renzon Cruz published an analysis in The DFIR Report, a security intelligence service, that documented an exposed server active since at least September last year.

It shows how an operation named Bissa scanner accumulated more than 900 successful exploits, while assisted by Claude Code.

Stanford and Cruz said the server contained over 13,000 files in more than 150 directories, used for exploitation, victim data staging, credential harvesting, access validation and the threat actor's workflow management.

A storage bucket named "bissapromax" contained over 30,000 different .env filenames from April 10 to 21 2026.

The infrastructure design was not being used to simply store opportunistically stolen data but instead supported an organised operation to acquire access at scale, the researchers wrote.

"Harvested data included large volumes of environment files and credentials spanning AI providers, cloud services, payment platforms, databases, and messaging systems," Stanford and Cruz wrote.

Credentials captured by Bissa scanner span "every tier of modern SaaS; with AI providers being the single largest category, with the researchers listing platforms Anthropic, Google, OpenAI, Mistral, OpenRouter, Groq, Replicate, DeepSeek and Hugging Face.

AI assisted workflow

Alongside Claude Code, the autonomous AI agent framework OpenClaw was also embedded in the threat actor's workflow, for troubleshooting, orchestration, and refinement of the collection pipeline.

Bissa scanner uses the React2Shell vulnerability that Kiwi security researcher Lachlan Davidson discovered and reported to Meta on November 29 last year.

The vulnerability in React can be abused for remote code execution and is rated at the maximum 10.0 out of 10 possible on the Common Vulnerabilities Scoring System (CVSS) 3.0. 

Patches for React2Shell have been available since December last year.

The Telegram messaging app was used by two operator-controlled bots, one of which provided automated notifications in a private chat, and another that Stanford and Cruz found in OpenClaw logs that may have played a part in the threat actor's workflow.

A member of The DFIR Report team told iTnews that the project transcripts show the AI being used as a development and troubleshooting assistant against the operator's own codebase.

"In our view, Claude was part of the operator-side engineering harness, not the component that directly delivered the exploit traffic," the team member said.

"The actual scanning/exploitation was done by the Bissa tooling," the team member added.

However, whether or not the threat actor tried to deceive the guardrails is not clear, as Stanford and Cruz didn't have access to the prompts provided to Claude.

As for the threat actor's capability, The DFIR Report team member said "they did not read as unsophisticated" but the operator didn't come across as top-tier or a highly polished developer either.

"The exposed server included a distributed scanner/exploiter with leased target feeds, async workers, a fairly substantial recon/exfil payload, archiving to a Filebase S3-compatible bucket, and Telegram notification of hits," the team member said.

"At the same time, the transcripts also show them leaning on Claude for codebase understanding and troubleshooting and dealing with reliability problems in their own AI relay/proxy layer."

The DFIR Team doesn't know if the threat actor has noticed if the Bissa scanner has been exposed and added that evidence of the operation has been shared "with the proper authorities" without divulging further details on who they are.