CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Vidrar infostealer propagated via malicious GitHub repositories exploiting exposed Claude Code source code

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors leveraged the accidental public exposure of Anthropic’s Claude Code source code to distribute the Vidar information-stealing malware through fraudulent GitHub repositories. Attackers created fake repositories posing as the leaked code, optimized for SEO to appear prominently in search results for queries related to the leak. Downloads from these repositories delivered a 7-Zip archive containing a Rust-based dropper (ClaudeCode_x64.exe) that installed Vidar infostealer along with the GhostSocks traffic proxying tool. The malicious archive is actively updated, indicating ongoing iteration of payloads and tactics.

Timeline

  1. 02.04.2026 23:30 1 articles · 2h ago

    Vidar infostealer campaign abuses leaked Claude Code exposure via malicious GitHub repositories

    Threat actors capitalize on the accidental public exposure of Anthropic’s Claude Code source code by publishing fraudulent GitHub repositories that distribute Vidar infostealer. The malicious repositories are SEO-optimized to rank highly in search results for queries related to the leak, luring victims to download a 7-Zip archive containing a Rust-based dropper (ClaudeCode_x64.exe). Execution of the dropper installs Vidar infostealer and GhostSocks proxying tool. The malicious archive is actively updated, suggesting ongoing adaptation of payloads and tactics.

    Show sources
    Open in new tab

Information Snippets

  • Anthropic’s Claude Code client-side source code (59.8 MB JavaScript source map) was accidentally exposed in an npm package on March 31, revealing 513,000 lines of TypeScript across 1,906 files.

    First reported: 02.04.2026 23:30
    1 source, 1 article
    Show sources

  • The exposed code was widely distributed on GitHub, with legitimate users forking repositories to analyze the leak.

    First reported: 02.04.2026 23:30
    1 source, 1 article
    Show sources

  • Threat actors exploited this interest by publishing malicious GitHub repositories under the username ‘idbzoomh’, advertising fake leaks as containing "unlocked enterprise features" with no usage restrictions.

    First reported: 02.04.2026 23:30
    1 source, 1 article
    Show sources

  • The malicious repository is SEO-optimized and ranks highly in Google Search for queries such as “leaked Claude Code,” driving traffic to the fraudulent download.

    First reported: 02.04.2026 23:30
    1 source, 1 article
    Show sources

  • The downloadable 7-Zip archive contains a Rust-based executable (ClaudeCode_x64.exe) that acts as a dropper for the Vidar infostealer and the GhostSocks proxying tool.

    First reported: 02.04.2026 23:30
    1 source, 1 article
    Show sources

  • The malicious archive is frequently updated, suggesting the threat actor may swap or add payloads in subsequent iterations.

    First reported: 02.04.2026 23:30
    1 source, 1 article
    Show sources

  • A second GitHub repository with identical code was identified, but its ‘Download ZIP’ button was non-functional at the time of analysis, likely used by the same actor to test delivery strategies.

    First reported: 02.04.2026 23:30
    1 source, 1 article
    Show sources