Hackers exploit Claude Code leak to spread credential-stealing malware via fake GitHub repos

Hackers Are Using Claude Code Leak As Bait to Spread Malware

A hacker was quick to pounce on the accidental leak of Anthropic's AI tool, Claude Code, by spreading malware on a GitHub page that claimed to host the source code. Cybersecurity vendor Zscaler spotted a hacker exploiting interest in the Claude Code leak to push two malware strains, Vidar and Ghostsocks. Zscaler traced the threat to a GitHub page from the account "idbzoomh," which purports to offer the leaked source code for Claude Code and claims: "I spent significant effort rebuilding the entire build system from scratch, fixing every compilation error, and making this source snapshot actually work." The offer could be tempting to users looking for a copy of the leak, especially since Anthropic has been using copyright takedowns to remove it from GitHub. Idbzoomh's page even claims the leak has been used to develop "Claude Code Unlocked," a way to run Anthropic's AI tool for free, including access to a "jailbreak mode." That's different from the actual leak, which only contains a partial source for the AI tool, not model weights or training data. Zscaler says the page will actually serve up a malicious ZIP archive containing both Windows-based malware strains, with Vidar acting as an information stealer, while Ghostsocks can let the hacker use an infected PC as a proxy to route their internet traffic. The malware infection attempt could trigger security alerts on a PC. So to avoid arousing suspicions, the GitHub page also says: "This application is an experimental tool for Security Research. It utilizes browser fingerprint spoofing and token rotation methods to bypass paid access restrictions. The authors are not responsible for the use of this software." Despite Zscaler's findings, the malicious Claude Code leak page remains up. GitHub didn't immediately respond to a request for comment. In the meantime, Zscaler warns: "Threat actors can (and already are) seeding trojanized versions with backdoors, data exfiltrators, or cryptominers. Unsuspecting users cloning 'official-looking' forks risks immediate compromise."

Fake Claude Code source downloads actually delivered malware

Tens of thousands of people eagerly downloaded the leaked Claude Code source code this week, and some of those downloads came with a side of credential-stealing malware. A malicious GitHub repository published by idbzoomh uses the Claude Code exposure as a lure to trick people into downloading malware, including Vidar, an infostealer that snarfs account credentials, credit card data, and browser history; and GhostSocks, which is used to proxy network traffic. Zscaler's ThreatLabz researchers came across the repo while monitoring GitHub for threats, and said it's disguised as a leaked TypeScript source code for Anthropic's Claude Code CLI. "The README file even claims the code was exposed through a .map file in the npm package and then rebuilt into a working fork with 'unlocked' enterprise features and no message limits," the security sleuths said in a Thursday blog. They added that the GitHub repository link appeared near the top of Google results for searches like "leaked Claude Code." While that was no longer the case at The Register's time of publication, at least two of the developer's trojanized Claude Code source leak repos remained on GitHub, and one of them had 793 forks and 564 stars. The malicious .7z archive in the repository's releases section is named Claude Code - Leaked Source Code, and it includes a Rust-based dropper named ClaudeCode_x64.exe. Once it's executed, the malware drops Vidar v18.7 and GhostSocks onto users' machines, and then the Vidar stealer gets to work collecting sensitive data while GhostSocks turns infected devices into proxy infrastructure that criminals can use to mask their true online location and carry out additional activity through compromised computers. In March, security shop Huntress warned about a similar malware campaign using OpenClaw, the already risky AI agent platform, as a GitHub lure to deliver the same two payloads. Both of these illustrate how quickly criminals move to take a buzzy new product or news event (like OpenClaw and the Claude Code leak) and then abuse it for online scams and financial gain. "That kind of rapid movement increases the chance of opportunistic compromise, especially through trojanized repositories," the Zscaler team wrote. The blog also includes a list of indicators of compromise, including the GitHub repositories with the trojanized Claude Code leak and malware hashes to help defenders in their threat-hunting efforts, so be sure to check that out - and, as always, be careful what you download. ®

Claude Code leak used to push infostealer malware on GitHub

Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware. Claude Code is a terminal-based AI agent from Anthropic, designed to execute coding tasks directly in the terminal and act as an autonomous agent, capable of direct system interaction, LLM API call handling, MCP integration, and persistent memory. On March 31, Anthropic accidentally exposed the full client-side source code of the new tool via a 59.8 MB JavaScript source map included by accident in the published npm package. The leak contained 513,000 lines of unobfuscated TypeScript across 1,906 files, revealing the agent's orchestration logic, permissions, and execution systems, hidden features, build details, and security-related internals. The exposed code was rapidly downloaded by a large number of users and published on GitHub, where it was forked thousands of times. According to a report from cloud security company Zscaler, the leak created an opportunity for threat actors to deliver the Vidar infostealer to users looking for the Claude Code leak. The researchers found that a malicious GitHub repository published by user "idbzoomh" posted a fake leak and advertised it as having "unlocked enterprise features" and no usage restrictions. To drive as much traffic to the bogus leak, the repository is optimized for search engines and is shown among the first results on Google Search for queries like "leaked Claude Code." According to the researchers, curious users download a 7-Zip archive that contains a Rust-based executable named ClaudeCode_x64.exe. When launched, the dropper deploys Vidar, a commodity information stealer, along with the GhostSocks network traffic proxying tool. Zscaler discovered that the malicious archive is updated frequently, so other payloads may be added in future iterations. The researchers also spotted a second GitHub repository with identical code, but it instead shows a 'Download ZIP' button that wasn't functional at the time of analysis. Zscaler estimates it is operated by the same threat actor who likely experiments with delivery strategies. Despite the platform's defenses, GitHub has often been used to distribute malicious payloads disguised in various ways. In campaigns in late 2025, threat actors targeted inexperienced researchers or cybercriminals with repositories claiming to host proof-of-concept (PoC) exploits for recently disclosed vulnerabilities. Historically, attackers were quick to capitalize on widely publicized events in the hope of opportunistic compromises.