Security & Infrastructure Tools
Claude Code Leak Used to Push Infostealer Malware on GitHub
Threat actors exploited an accidental leak of Claude Code’s full client‑side source code, creating fake GitHub repositories that entice users to download a malicious archive containing the Vidar infostealer and GhostSocks traffic proxy. The repositories are heavily promoted via search engine optimization, attracting many downloads, and may evolve with additional payloads. This incident highlights how public code leaks can be weaponized for malware distribution on platforms like GitHub.
Claude Code leak used to push infostealer malware on GitHub
Threat actors are weaponizing the Claude Code source-code leak by distributing fake GitHub repositories designed to deliver Vidar information-stealing malware. Claude Code, a terminal-based AI assistant from Anthropic, is intended to perform coding tasks directly in the terminal and function as an autonomous agent capable of direct system interaction, API handling, and memory persistence. The recent events center on how the leak of its client-side tooling has created a conduit for malicious activity.
On March 31, Anthropic unintentionally exposed the full client-side source code of Claude Code via a JavaScript source map that accompanied a published npm package. The map was large—59.8 MB—and contained 513,000 lines of unobfuscated TypeScript across 1,906 files. The materials revealed the agent’s orchestration logic, permissions, execution systems, hidden features, build details, and security-related internals. In short order, the leaked material was downloaded by a substantial number of users and then published on GitHub, where forks surged into the thousands.
Research from the cloud security firm Zscaler indicates that this leak created an opportunity for threat actors to push Vidar, a widely sold information stealer, to individuals who were seeking information about the Claude Code leak. The researchers identified a malicious GitHub repository operated by a user named “idbzoimh” that posted a fake leak and claimed it offered “unlocked enterprise features” with no usage restrictions. The repository appeared optimized for search engines and ranked highly in queries such as “leaked Claude Code,” funneling curious users toward the malicious content.
Within the repository, users could download a 7-zip archive containing a Rust-based executable named ClaudeCode_x64.exe. When executed, this dropper deployed Vidar, along with GhostSocks, a tool used for network traffic proxying. Zscaler noted that the malicious archive was frequently updated, suggesting ongoing experimentation with payloads and delivery mechanisms. A second GitHub repository surfaced with identical code but a non-functional “Download ZIP” button at the time of analysis, which Zscaler attributed to the same actor testing different delivery strategies.
This is not an isolated tactic. GitHub has historically hosted numerous malicious payloads disguised in various formats, and attackers have repeatedly exploited high-profile disclosures to lure in victims. In late 2025, there were campaigns targeting relatively new researchers or casual cybercriminals with repositories that claimed to host proof-of-concept exploits for recently disclosed vulnerabilities. The pattern—capitalizing on widely publicized events to maximize reach and potential compromises—appears to be continuing through the Claude Code situation.
The incident underscores how a large-scale exposure of proprietary tooling can become a foothold for attackers who are quick to repurpose leaked material into weaponized payloads. As threat actors migrate toward search-optimized, easily accessible deceptive artifacts, the risk to individuals browsing for information about high-profile leaks remains non-trivial.