Find notable cyber news and cases, enriched with sources, timelines, and signals.

Claude Code leak GitHub Vidar lure campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

A malicious GitHub repository campaign is abusing the Claude Code leak to deliver Vidar to users searching for leaked code. The lure uses a fake leak, search-engine optimization, and a booby-trapped 7-Zip archive to turn curiosity into malware infection. That matters because the same path also installs GhostSocks, expanding the operators' ability to steal credentials and proxy traffic.

Related Happenings

Miasma source code leak on GitHub

Data Leak
H score32 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma source code** was **briefly leaked on GitHub**, exposing malware framework code that could be copied, studied, and modified by other threat actors. The exposure repor...

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...

Shai-Hulud public GitHub repository credential exposure

Data Leak
H score26 First: 18.05.2026 20:28 Last: 18.05.2026 20:28 Sources 1

About this happening: **Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
H score33 First: 11.05.2026 17:00 Last: 11.05.2026 17:00 Sources 1

About this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...

Timeline

  1. 02.04.2026 23:30 1 articles · 3mo ago

    Anthropic exposes Claude Code source code

    Initial Disclosure

    Anthropic accidentally exposed the full client-side source code for Claude Code through a 59.8 MB JavaScript source map included in the published npm package, leaking 513,000 lines of unobfuscated TypeScript across 1,906 files and revealing orchestration logic, permissions, execution systems, hidden features, build details, and security-related internals.

    Show sources
  2. 02.04.2026 23:30 2 articles · 3mo ago

    Fake GitHub repositories turn Claude Code leak into Vidar lure

    Exploitation Observed

    Threat actors used fake GitHub repositories to exploit interest in the Claude Code leak, including a repository published by user idbzoomh that advertised a fake leak with 'unlocked enterprise features' and no usage restrictions, was optimized for Google Search queries like 'leaked Claude Code', and steered users toward a 7-Zip archive that launches ClaudeCode_x64.exe to drop Vidar and the GhostSocks network traffic proxying tool; Zscaler also identified a second repository with identical code and a nonfunctional 'Download ZIP' button.

    Show sources