Fake Claude Code GitHub Repos Spread Vidar Infostealer and GhostSocks
Threat actors used fake GitHub repositories themed around Anthropic's leaked Claude Code source to distribute malware to users searching for the exposed codebase. Researchers at Zscaler ThreatLabz said one repository, operated by user idbzoomh, promoted a supposed Claude Code leak with "unlocked enterprise features" and no restrictions, while search-engine optimization helped it rank for queries such as "leaked Claude Code." Victims who downloaded the offered archive received a Rust-based executable, ClaudeCode_x64.exe, instead of source code.
The executable acted as a dropper for the Vidar information stealer and the GhostSocks proxy malware. The lure followed Anthropic's accidental exposure of a 59.8 MB JavaScript source map in an npm package, which revealed roughly 513,000 lines of unobfuscated TypeScript across 1,906 files and exposed internal logic and security-related details. Zscaler also identified a second similar repository believed to be tied to the same actor, indicating an ongoing campaign that reportedly reached tens of thousands of users and mirrors recent malware delivery efforts built around fake developer-tool downloads.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Zscaler ThreatLabz reports malware campaign abusing Claude Code leak
Zscaler ThreatLabz publicly documented the malicious GitHub repositories and their use of the Claude Code leak as a lure for malware distribution. The disclosure linked the campaign to rapid attacker exploitation of high-profile developer and cybersecurity events.
Fake Claude Code archive delivers Vidar and GhostSocks malware
Users who downloaded the advertised 7-Zip archive received a Rust-based executable named ClaudeCode_x64.exe that installed the Vidar information stealer and the GhostSocks proxying tool. Reporting said the campaign affected tens of thousands of users.
Threat actor launches fake GitHub repos themed around Claude Code leak
After the leak, a threat actor created at least one search-engine-optimized GitHub repository posing as a leaked Claude Code release with "unlocked enterprise features" and no restrictions. Zscaler also identified a second similar repository likely tied to the same actor, indicating an ongoing malware delivery campaign.
Anthropic accidentally exposes Claude Code source map in npm package
Anthropic inadvertently published a 59.8 MB JavaScript source map for Claude Code in an npm package, exposing about 513,000 lines of unobfuscated TypeScript across 1,906 files and revealing internal logic, permissions, and security-related details. This leak became the lure later abused by threat actors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware
cybersecuritynews.com
Open sourceClaude Code leak used to push infostealer malware on GitHub - DataBreaches.Net
databreaches.net
Open sourceClaude Code leak leveraged to distribute malware | brief | SC Media
scworld.com
Open sourceClaude Code leak used to push infostealer malware on GitHub
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious npm Package Exfiltrated Claude User Files to Attacker GitHub Repo
Researchers identified a malicious npm package, **`mouse5212-super-formatter`**, that posed as an internal archive deployment synchronization utility but acted as an infostealer during its `postinstall` phase. The package searched the **`/mnt/user-data`** directory used by Anthropic's Claude AI environment for uploads and outputs, then recursively exfiltrated files to a threat actor-controlled GitHub repository through the GitHub Contents API. To reduce suspicion, it also generated a fake network connections log that made its activity appear diagnostic. OX Security said the package had been downloaded about **676** times on npm, although confirmed compromises were limited, and researchers observed roughly **seven** exfiltration instances in the attacker repository before it was removed, most believed to be operator testing. The malware authenticated with either an environment token or a hardcoded private GitHub token, and that exposed token helped investigators trace the campaign; the attacker account had been created only hours before the first malicious release and was later deleted. Researchers dubbed the activity **"Malware-Slop"** and warned users to revoke GitHub access tokens and treat files stored in **`/mnt/user-data`** as potentially compromised.
May 28, 2026
Fake Claude AI Site Delivers Beagle Backdoor via Malvertising
A malvertising and SEO-poisoning campaign is impersonating Anthropic’s Claude AI with the domain `claude-pro[.]com`, luring users to download a trojanized Windows installer that deploys a newly identified backdoor called **Beagle**. Researchers said the fake site appeared in sponsored search results and mimicked Claude branding to distribute a ZIP archive containing an MSI package that installed a legitimate signed G DATA executable alongside a malicious DLL, abusing **DLL sideloading** to begin the infection chain. After execution, the malware decrypts additional payloads, launches DonutLoader, and loads Beagle entirely in memory to reduce disk-based detection. The backdoor provides remote access functions including command execution, file transfer, directory management, and self-uninstallation, and communicates with `license[.]claude-pro[.]com` over TCP 443 or UDP 8080 using a hardcoded AES key. Sophos X-Ops said the campaign has been active for months, uses anti-analysis measures and shared tooling such as a reused XOR key, and relies on infrastructure including Cloudflare and Alibaba Cloud; researchers also noted overlaps with activity linked to **PlugX** operators and related impersonation of vendors including Trellix, CrowdStrike, SentinelOne, and Microsoft Defender.
May 24, 2026
Malicious and unsafe use of Anthropic Claude Code leading to malware delivery and destructive infrastructure changes
Push Security reported an **“InstallFix” malvertising campaign** targeting developers searching for Anthropic’s *Claude Code* CLI. Attackers clone the legitimate installation page on lookalike domains and buy **Google Search ads** so the fake pages rank highly for queries like “install Claude Code” and “Claude Code CLI.” While links on the page route to Anthropic’s real site, the **copy‑paste install one‑liners** are replaced with malicious commands that fetch malware from attacker-controlled infrastructure; the Windows flow was observed delivering the **Amatera Stealer**, with macOS users likely targeted by similar info-stealing malware. Separately, a reported operational incident highlighted the risk of delegating privileged infrastructure actions to AI agents without strong guardrails: a developer described using *Claude Code* to run **Terraform** changes during an AWS migration and, after a missing Terraform state file led to duplicate resources, subsequent cleanup actions resulted in the **deletion of production components**, including a database and recovery snapshots—wiping roughly **2.5 years of records**. Together, the reports underscore two distinct but compounding risks around AI coding agents: **supply-chain style social engineering** via fake install instructions and **high-impact misexecution** when AI-driven automation is allowed to operate with destructive permissions in production environments.
May 12, 2026