Anthropic Claude Code Leak Triggers Malware Campaign on GitHub

Anthropic accidentally exposed the source code for Claude Code via an npm package. The leak included around 513,000 lines of unobfuscated TypeScript code across 1,906 files.

The exposed code quickly spread across GitHub, where users forked and redistributed it widely. The scale and visibility of the leak made it an attractive target for cybercriminals looking to capitalize on the sudden interest.

Hackers weaponize leak with fake repositories

Security researchers at Zscaler identified an active malware campaign that uses the leaked Claude Code as bait. Attackers created fake GitHub repositories that impersonate the project and promise access to “unlocked enterprise features.”

These repositories aim to trick users into downloading malicious files by leveraging curiosity and urgency. This approach closely mirrors previous campaigns where attackers used trending tools or leaks to distribute malware.

How the attack works

The attack begins when a user downloads a malicious archive disguised as Claude Code. Inside, victims find a fake executable named ClaudeCode_x64.exe, which appears legitimate at first glance.

Once launched, the executable runs a Rust-based dropper that silently installs additional payloads on the system. The infection chain leads to the deployment of the Vidar infostealer, which targets credentials and sensitive data, along with the GhostSocks proxy tool that enables remote access and persistence.

Researchers noted that the malicious archive receives frequent updates, which indicates that the campaign remains active and continues to evolve.

Multiple repositories signal coordinated activity

Zscaler also detected a second repository using the same technique, suggesting a coordinated effort by the same threat actor. The overall pattern aligns with previous GitHub abuse campaigns, where attackers exploit viral topics to maximize reach.

This tactic is not new, as similar schemes have used fake installers for tools like OpenClaw to spread malware.

Malware campaigns increasingly follow trending topics

The Claude Code incident highlights a growing trend in cybersecurity. Attackers now move quickly to weaponize popular news, leaks, and developer tools to lure unsuspecting users.

Recent threats such as the Axios-related malware campaign and the VoidStealer attack, which could extract encryption keys from Chrome memory, show how rapidly these campaigns evolve.

Users should remain cautious and avoid downloading unofficial or leaked software from unverified sources, especially when it gains sudden attention online.

Via BleepingComputer