Threat actors are exploiting the latest Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware.
Claude Code is a terminal-based AI agent from Anthropic, designed to perform coding tasks directly on the terminal and act as an independent agent, capable of interacting directly with the system, handling LLM API calls, MCP integration, and persistent memory.
On March 31, Anthropic accidentally disclosed the full client-side source code of the new tool via a 59.8 MB JavaScript source map that was mistakenly included in a published npm package.
The leak contained 513,000 lines of obscure TypeScript across 1,906 files, revealing the agent’s orchestration logic, permissions, and execution systems, hidden features, build details, and security-related internals.
The exposed code was quickly downloaded by a large number of users and published on GitHub, where it was uploaded thousands of times.
According to a report from cloud security company Zscaler, the leak created an opportunity for threat actors to deliver the Vidar infostealer to users looking for the Claude Code leak.
Researchers discovered that a malicious GitHub repository published by user “idbzoomh” posted a fake leak and advertised it as having “open enterprise features” and no usage restrictions.
Source: Zscaler
To drive more traffic to fake leaks, the cache is promoted to search engines and is displayed among the first results in Google Search for queries like “leaked Claude Code.”
Source: Zscaler
According to the researchers, curious users downloaded a 7-Zip archive containing a Rust-based executable named ClaudeCode_x64.exe. When launched, the dropper uses Vidar, a proprietary hacker, and the GhostSocks network proxy tool.
Zscaler found that the malicious archive is updated frequently, so additional payloads may be added in future iterations.
The researchers also saw a second GitHub repository with the same code, but instead showing a ‘Download ZIP’ button that was not working at the time of analysis. Zscaler estimates that it is being used by the same threat actor that is likely to test the delivery techniques.
Source: Zscaler
Despite the platform’s security, GitHub is often used to distribute malicious payloads disguised in various ways.
In campaigns as late as 2025, threat actors target unsuspecting researchers or hackers with caches that claim to hold proof-of-concept (PoC) exploits for later-disclosed vulnerabilities.
Historically, attackers have been quick to capitalize on widely publicized events in the hope of opportunistic consensus.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
