In order to spread Vidar information-stealing malware, threat actors are taking advantage of the recent Claude Code source code breach by creating phony GitHub repositories.
Threat actors are now employing phony GitHub repositories and malicious Google Ads to spread infostealer malware that poses as “leaked” or “unlocked” versions of Claude Code in the wake of Anthropic’s enormous unintentional source code leak on March 31, 2026.
Claude Code is an Anthropic terminal-based AI agent that is capable of direct system contact, LLM API call processing, MCP integration, and permanent memory. It is intended to carry out coding activities directly in the terminal and function as an autonomous agent.
Last Tuesday, March 31st, Anthropic unintentionally included a 59.8 MB JavaScript source map in the published npm package, exposing the whole client-side source code of the new tool.
Attackers are exploiting the Claude Code leak to trick developers into installing malware. They use fake websites, GitHub repos, and Google ads to deliver info-stealers (Vidar, Amatera, AMOS) and proxy malware (GhostSocks). A separate npm supply chain attack on the axios package on March 31 may have also compromised users.
The breach included 1,906 files with 513,000 lines of unobfuscated TypeScript that exposed the agent’s execution systems, rights, orchestration logic, hidden features, development information, and security-related internals.
Many others quickly downloaded the leaked code, which was then posted on GitHub and forked thousands of times.
The disclosure gave threat actors a chance to distribute the Vidar infostealer to people searching for the Claude Code leak, according to a report from cloud security firm Zscaler.
The researchers discovered that a fraudulent GitHub repository created by user “idbzoomh” posted a phony leak and promoted it as having no usage limitations and “unlocked enterprise features.”
The repository is tailored for search engines and appears among the top results on Google Search for phrases like “leaked Claude Code” in order to increase traffic to the fake leak.
The researchers claim that inquisitive individuals download a 7-Zip file containing ClaudeCode_x64.exe, a Rust-based executable. The dropper launches the GhostSocks network traffic proxying tool and Vidar, a commodity information stealer.
Zscaler found that the malicious archive is often updated, indicating that future iterations might include additional payloads.
A second GitHub repository with the same code was also discovered by the researchers; however, at the time of study, it displayed a “Download ZIP” button. According to Zscaler, it is run by the same threat actor who probably tests different distribution methods.
GitHub has frequently been exploited to disseminate malicious payloads that are disguised in different ways, despite the platform’s protections.
Threat actors used repositories purporting to include proof-of-concept (PoC) exploits for recently discovered vulnerabilities to target novice researchers or cybercriminals in campaigns in late 2025.
In the past, attackers were eager to take advantage of well-publicized incidents in the hopes of making advantageous concessions.
Additional details to this show that the leak wasn’t a hack and that it was Anthropic’s packaging mistake. They accidentally included a 60MB source map file in an npm package, exposing ~512,000 lines of TypeScript code. Within hours, the code spread worldwide, was analyzed, and rewritten in other languages to evade DMCA takedowns.
Avoid unofficial “leaked” Claude Code repositories that don’t download, fork, or run anything from them. Stick to Anthropic’s official site or verified npm page for installation. If you touched any suspicious repos on March 31, 2026, rotate all your API keys and credentials immediately.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
