Anthropic’s accidental leak of the Claude Code source code on March 31 set off a frenzy of downloads across GitHub. Developers, researchers, and the simply curious all rushed to grab the exposed files. Criminals saw that rush and moved fast. Within 24 hours, fake GitHub repositories carrying Claude Code malware were live — and actively appearing in Google search results for anyone looking for the leaked code.
What Anthropic Accidentally Exposed
Claude Code is Anthropic’s terminal-based AI coding agent. It runs directly in a terminal, handles API calls, integrates with external tools, and can operate with genuine autonomy. Developers have been paying close attention to it.
On March 31, a packaging error in a public npm release bundled a 59.8 MB JavaScript source map that was never meant to ship. That file contained 513,000 lines of unobfuscated TypeScript across nearly 1,900 files. Internal orchestration logic, permission systems, hidden features, and build details were all exposed. None of it should have been public.
The code spread immediately. Users mirrored it, republished it on GitHub, and forked it tens of thousands of times. That kind of viral momentum is exactly what criminals look for.
The Fake Repositories
Security researchers at Zscaler identified a malicious GitHub repository posing as a legitimate copy of the leaked code. Its author, going by the name “idbzoomh,” framed the upload as a working fork with “unlocked enterprise features” and no message usage limits. That framing was deliberate. It targeted people who wanted more than the standard version of the tool.
The repository was also built for visibility. It used keyword-rich titles and descriptions to rank for searches like “leaked Claude Code” — and it worked. The page appeared near the top of Google results, putting it directly in front of users who had no reason to suspect a trap.
Those users downloaded a 7-Zip archive from the releases section. Inside sat a Rust-built executable named ClaudeCode_x64.exe. Running it deployed two malware payloads.
What Vidar and GhostSocks Do
The first payload, Vidar, is a well-established infostealer. It targets saved browser passwords, session cookies, autofill data, cryptocurrency wallet files, and credit card details stored in browsers. Once it collects that data, it sends it to attacker-controlled servers within minutes. Vidar is a commodity tool — widely available, actively maintained, and capable of causing serious damage fast.
The second payload, GhostSocks, works differently. It turns the infected machine into a residential proxy node, routing criminal traffic through the victim’s internet connection. Attackers use these proxy networks to disguise their location, sell proxy access as a service, or bypass fraud detection systems. The victim’s device becomes part of infrastructure they never agreed to host.
Researchers also found the malicious archive updating repeatedly during analysis. That points to an active operation — one likely to shift payloads as the campaign evolves.
Part of a Bigger Operation
This campaign did not start with Claude Code. Trend Micro researchers found that the same threat actors had been running a rotating-lure operation since at least February 2026. The group cycles through more than 25 different software brands, swapping whatever name is trending for the same underlying payload. The infrastructure stays constant. Only the bait changes.
A nearly identical campaign ran weeks earlier using OpenClaw, another AI agent platform, as the hook. It delivered the same combination of Vidar and GhostSocks. The Claude Code leak simply gave the attackers a more prominent name to exploit.
At least two trojanized repositories remained live on GitHub when researchers published their findings. One had accumulated nearly 800 forks and over 500 stars before action was taken.
The Longer-Term Risk of the Leak Itself
Beyond the immediate Claude Code malware threat, the exposed source code creates problems that outlast any single campaign. The leaked files reveal internal mechanisms that give attackers a detailed map of how the tool operates. One unreleased feature, referenced in the code as KAIROS, describes a persistent background daemon that lets Claude Code run autonomously and act on things it notices in the environment.
That kind of detail — permission logic, execution flows, agentic behavior — helps attackers craft more targeted attacks. Zscaler researchers flagged the potential for future vulnerability discovery, prompt injection attacks, and agentic attack surface mapping, all made easier now that the internal architecture is no longer private. Anthropic has filed copyright takedown requests to limit further spread of the code.
Final Thoughts
The Claude Code malware campaign required no sophisticated exploit. Attackers used a fake repository, a convincing pitch, some basic SEO, and good timing. What made it effective was the trust people extend to GitHub by default — and the excitement that follows a high-profile leak.
If you searched for the leaked Claude Code source and downloaded anything from an unofficial repository, treat your machine as potentially compromised. Rotate credentials stored in your browser, check for unusual outbound network activity, and scan for Vidar indicators. Only ever install Claude Code from Anthropic’s official npm package, and treat any repository promising “unlocked” or “unrestricted” versions as a red flag.
