Claude Code leak GitHub Vidar lure campaign
Campaign
Summary
Hide ▲
Show ▼
A malicious GitHub repository campaign is abusing the Claude Code leak to deliver Vidar to users searching for leaked code. The lure uses a fake leak, search-engine optimization, and a booby-trapped 7-Zip archive to turn curiosity into malware infection. That matters because the same path also installs GhostSocks, expanding the operators' ability to steal credentials and proxy traffic.
Related Happenings
Miasma source code leak on GitHub
Data Leak
H score32
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma source code** was **briefly leaked on GitHub**, exposing malware framework code that could be copied, studied, and modified by other threat actors. The exposure repor...
Miasma source code leak on GitHub
Data LeakAbout this happening: The **Miasma source code** was **briefly leaked on GitHub**, exposing malware framework code that could be copied, studied, and modified by other threat actors. The exposure repor...
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Shai-Hulud public GitHub repository credential exposure
Data Leak
H score26
First: 18.05.2026 20:28
Last: 18.05.2026 20:28
Sources 1
About this happening:
**Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...
Shai-Hulud public GitHub repository credential exposure
Data LeakAbout this happening: **Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
H score33
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Timeline
-
02.04.2026 23:30 1 articles · 3mo ago
Anthropic exposes Claude Code source code
Initial DisclosureAnthropic accidentally exposed the full client-side source code for Claude Code through a 59.8 MB JavaScript source map included in the published npm package, leaking 513,000 lines of unobfuscated TypeScript across 1,906 files and revealing orchestration logic, permissions, execution systems, hidden features, build details, and security-related internals.
Show sources
- Claude Code leak used to push infostealer malware on GitHub — www.bleepingcomputer.com — 02.04.2026 23:30
-
02.04.2026 23:30 2 articles · 3mo ago
Fake GitHub repositories turn Claude Code leak into Vidar lure
Exploitation ObservedThreat actors used fake GitHub repositories to exploit interest in the Claude Code leak, including a repository published by user idbzoomh that advertised a fake leak with 'unlocked enterprise features' and no usage restrictions, was optimized for Google Search queries like 'leaked Claude Code', and steered users toward a 7-Zip archive that launches ClaudeCode_x64.exe to drop Vidar and the GhostSocks network traffic proxying tool; Zscaler also identified a second repository with identical code and a nonfunctional 'Download ZIP' button.
Show sources
- Claude Code leak used to push infostealer malware on GitHub — www.bleepingcomputer.com — 02.04.2026 23:30
- Claude Code leak used to push infostealer malware on GitHub — www.bleepingcomputer.com — 02.04.2026 23:30