Claude Code Leak Exploited to Spread Vidar and GhostSocks via GitHub Releases

Hackers exploited the exposed Claude Code source leak as a channel for malware distribution, using GitHub Releases to deliver the Vidar stealer and GhostSocks under the pretense of leaked Anthropic tools.

This incident highlights how failures in AI development governance can quickly escalate, leading to both conventional compromises and novel risks from autonomous systems.

The 59.8 MB leak revealed roughly 512,000 lines of internal TypeScript across ~1,900 files, effectively publishing the full Claude Code agentic framework via misconfigured .npmignore settings and Bun’s default sourcemaps.

Within hours, mirrored copies of the leaked code proliferated across GitHub, forcing Anthropic to pull the package, issue DMCA takedowns, and confirm the breach resulted solely from human error, not external intrusion.

In late March 2026, Anthropic unintentionally included a massive JavaScript source map in version 2.1.88 of its @anthropic-ai/claude-code npm package.

Within 24 hours of the leak gaining widespread attention, threat actors began seeding GitHub with fake “leaked Claude Code” repositories offering trojanized archives for download via GitHub Releases.

Vidar and GhostSocks via GitHub

Security researchers observed malicious repositories promising “Claude Code leak” downloads containing large 7z archives distributed through GitHub Releases.

Inside these archives, a Rust-compiled executable (variously named ClaudeCode_x64.exe, TradeAI.exe, and other brand-aligned variants) functioned as a loader dropping both Vidar stealer and GhostSocks proxy malware.

Vidar focuses on high-value theft, including browser credentials, cryptocurrency wallets, session tokens, and system details.

GhostSocks converts infected machines into SOCKS5 proxies, enabling operators to blend malicious traffic with legitimate user activity using residential-like infrastructure.

Attackers rotate disposable GitHub accounts and lure names, abusing GitHub Releases’ perceived trust while regularly rebuilding repositories to bypass takedowns.

The Claude Code angle was only the most recent lure in a broader campaign active since February 2026, previously impersonating AI tools, trading utilities, creative software, and general-purpose utilities—all delivering the same Rust-compiled infostealer dropper.

Trend Micro links this activity to an OpenClaw-style GitHub lure pattern that earlier used fake AI installers to spread GhostSocks and infostealers.

Search-driven discovery drives the infection chain. Users querying terms like “leaked Claude Code source,” “Claude Code download,” or similar AI-tool keywords encounter convincing repositories with minimal READMEs, fake download buttons embedded as images, and release assets sized to mimic legitimate software.

Execution triggers extensive sandbox and VM checks, followed by Vidar and GhostSocks deployment via encrypted configurations and multi-stage scripts that disable Windows Defender and open firewall ports for command-and-control traffic.

Long-term risk of the Claude Code leak

Beyond its use as a lure, the leaked Claude Code base introduces durable risk. Public access to production-scale agentic CLI exposes patterns accelerating vulnerability research against tooling interacting directly with developer environments.

Researchers and adversaries can mine the 512,000-line codebase for privilege escalation paths, arbitrary code-execution flaws, or weaknesses in agentic scaffolding handling file operations and tool invocation.

The source tree also exposes how Claude Code structures system prompts, tool definitions, and safety logic, providing blueprints for targeted prompt-injection and safety-bypass attempts.

Additionally, Anthropic’s anti-distillation mechanisms designed to prevent competitors from training on API traffic are now documented, allowing sophisticated adversaries to design ways around signature checks and canary tools.

Mitigation requires addressing both classic malware exposure and agentic risks. Organizations should restrict installation of AI developer tools like Claude Code to official channels and package managers, treating unofficial GitHub repositories and standalone installers as high risk.

Security teams should increase scrutiny of GitHub Releases, flagging newly created repositories hosting large archives with minimal development history, and block known Vidar and GhostSocks indicators at network and endpoint layers.

This incident underscores that compromise pathways increasingly flow through human and governance gaps, not just software flaws.

TrendAI’s Agentic Governance Gateway positions governance as the control plane for agentic AI, enabling discovery, observation, anomaly detection, and policy enforcement over autonomous decision-making.

In parallel, TrendAI Vision One integrates detections for the Vidar and GhostSocks IOCs in this campaign, providing customers with curated threat-hunting queries and intelligence to trace GitHub-delivered payload activity.

Related Articles

Back to top button