Hackers weaponize Claude Code leak to spread Vidar and GhostSocks malware
5 min. read 
Published on
Developers searching for Anthropic’s leaked Claude Code source are getting trapped by fake GitHub repositories that deliver malware instead of code. Security researchers say attackers used the sudden interest around the March 31 leak to push Vidar, an information stealer, and GhostSocks, a malware tool that turns infected systems into proxy nodes.
The leak itself was real. Anthropic accidentally exposed internal Claude Code source through a 59.8 MB JavaScript source map bundled in the public @anthropic-ai/claude-code npm package version 2.1.88, and Anthropic told Axios that no sensitive customer data or credentials were exposed. The company said the incident came from a release packaging issue caused by human error, not a security breach.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That mistake created a new lure for cybercriminals. Zscaler ThreatLabz says threat actors quickly set up malicious GitHub repositories that claimed to host the leaked Claude Code source, then used those repos to trick curious developers into downloading a fake archive.
How the attack works
Zscaler says one of the malicious repositories ranked near the top of Google results for searches such as “leaked Claude Code,” which increased the odds that developers would trust it. The fake repo claimed it offered a rebuilt fork with unlocked enterprise features and no message limits.
Instead of source code, victims got a .7z archive named “Claude Code – Leaked Source Code.” Inside it was ClaudeCode_x64.exe, which Zscaler identified as a Rust-based dropper. Once launched, the dropper installed Vidar v18.7 and GhostSocks on the victim’s machine.
Vidar steals sensitive data such as saved credentials and browser information, while GhostSocks can route traffic through the infected device. That combination gives attackers both stolen data and a way to hide later activity behind compromised systems.
Why this campaign matters
This attack works because it rides on a real event, not a made-up rumor. Developers knew Claude Code had leaked, saw heavy public discussion around it, and then searched for mirrors and forks. Attackers used that urgency and curiosity as bait.
The timing also makes the story more serious. Zscaler noted that the Claude Code leak happened alongside the Axios npm supply chain attack, which created a messy security window for developers working with AI and JavaScript tools at the same time.
The bigger lesson is simple. Once proprietary code leaks into public view, attackers do not need to exploit the code itself to profit. They can weaponize the attention around the leak and hit developers through fake downloads, poisoned repositories, and search-driven social engineering.
What is confirmed so far
| Item | Confirmed details |
|---|---|
| Original leak | Anthropic accidentally exposed Claude Code source through a source map in npm package version 2.1.88. |
| Anthropic’s response | Anthropic said no sensitive customer data or credentials were exposed and called it a packaging issue caused by human error. |
| Malware lure | Zscaler found fake GitHub repos pretending to host the leaked source. |
| Malware payload | The fake archive dropped Vidar v18.7 and GhostSocks. |
| Search visibility | Zscaler said one malicious repo appeared near the top of Google results for leak-related searches. |
What developers should do now
Developers should avoid downloading, building, or running any repository that claims to offer the leaked Claude Code source. Zscaler says teams should rely only on Anthropic’s official channels and signed binaries.
Security teams should monitor developer workstations for unusual outbound traffic, unexpected processes, suspicious Git clones, and unplanned npm activity. Zscaler also recommends segmenting access to critical systems and avoiding AI agents with local shell access on untrusted codebases.
Anyone who downloaded one of these fake archives should treat the machine as compromised. That means isolating the system, rotating credentials, reviewing browser sessions, and checking for proxy abuse or credential theft. The payloads in this campaign do not behave like harmless proof-of-concept code.
Red flags to watch for
- A GitHub repo promises “leaked Claude Code” with extra features or no usage limits.
- The download arrives as a prebuilt archive or executable instead of plain source files.
- The repo leans on recent news and viral attention to appear credible.
- Search results point to unofficial mirrors or recently created accounts.
- A supposed source-code release asks you to run a binary first. That is an immediate warning sign.
FAQ
No. The malware came from fake GitHub repositories that abused interest in the leak. Anthropic caused the original source exposure through a packaging mistake, but Zscaler says the Vidar and GhostSocks campaign came from third-party malicious repos.
Zscaler says the leak exposed about 513,000 lines of unobfuscated TypeScript across 1,906 files through a source map shipped in npm package version 2.1.88. Anthropic said the leak did not include sensitive customer data or credentials.
Vidar is an information stealer designed to collect credentials and other sensitive data. GhostSocks can proxy network traffic through the infected system, which helps attackers hide or relay later activity.
Developers, researchers, and curious users searching for Claude Code mirrors or unofficial downloads face the highest risk. Zscaler says the attackers specifically used search visibility and fake GitHub repos to catch that audience.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages