Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Claude Code leak GitHub Vidar lure campaign

Campaign
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

A malicious GitHub repository campaign is abusing the Claude Code leak to deliver Vidar to users searching for leaked code. The lure uses a fake leak, search-engine optimization, and a booby-trapped 7-Zip archive to turn curiosity into malware infection. That matters because the same path also installs GhostSocks, expanding the operators' ability to steal credentials and proxy traffic.

Related Happenings

Shai-Hulud public GitHub repository credential exposure

Data Leak
First: 18.05.2026 20:28 Last: 18.05.2026 20:28 Sources 1

About this happening: **Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
First: 11.05.2026 17:00 Last: 11.05.2026 17:00 Sources 1

About this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...

Open Happening

SEO-poisoned GitHub facade campaign targeting enterprise admin tools

Campaign
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...

Open Happening

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

Timeline

  1. 02.04.2026 23:30 1 articles · 1mo ago

    Anthropic exposes Claude Code source code

    Initial Disclosure

    Anthropic accidentally exposed the full client-side source code for Claude Code through a 59.8 MB JavaScript source map included in the published npm package, leaking 513,000 lines of unobfuscated TypeScript across 1,906 files and revealing orchestration logic, permissions, execution systems, hidden features, build details, and security-related internals.

    Show sources
    Open in new tab
  2. 02.04.2026 23:30 2 articles · 1mo ago

    Fake GitHub repositories turn Claude Code leak into Vidar lure

    Exploitation Observed

    Threat actors used fake GitHub repositories to exploit interest in the Claude Code leak, including a repository published by user idbzoomh that advertised a fake leak with 'unlocked enterprise features' and no usage restrictions, was optimized for Google Search queries like 'leaked Claude Code', and steered users toward a 7-Zip archive that launches ClaudeCode_x64.exe to drop Vidar and the GhostSocks network traffic proxying tool; Zscaler also identified a second repository with identical code and a nonfunctional 'Download ZIP' button.

    Show sources
    Open in new tab