Security firms warn: attackers weaponized the Claude Code leak to deliver malware via fake repos

One trojanized "leaked Claude Code" GitHub repository had accumulated 793 forks and 564 stars before researchers flagged it. The .7z archive sitting in its Releases tab, named "Claude Code - Leaked Source Code," contained a Rust-compiled binary called ClaudeCode_x64.exe. On execution, that dropper deployed two payloads: Vidar v18.7, a credential-stealing infostealer that has operated as a Malware-as-a-Service since 2018, and GhostSocks, a GoLang-written proxy tool that tunnels attacker traffic through infected machines via SOCKS5 backconnect to evade anti-fraud systems at financial institutions. Before it was removed, the malicious repository was appearing near the top of Google search results for anyone searching "leaked Claude Code."

Trend Micro's threat research team, led by Jacob Santos, Sophia Nilette Robles, and Jeffrey Francis Bonaobra, documented the campaign in an April 3, 2026 advisory, placing weaponization within 24 hours of the original source exposure. On March 31, 2026, Anthropic accidentally shipped the entire source code of Claude Code to the public npm registry via a misconfigured debug file, approximately 512,000 lines of it. Security researcher Chaofan Shou discovered the inadvertently published source map and disclosed it publicly. Anthropic confirmed the packaging error. A follow-up Trend Micro advisory on April 7 confirmed that PureLog Stealer was also distributed through the same campaign infrastructure alongside Vidar and GhostSocks.

Zscaler ThreatLabz researchers encountered the repo while monitoring GitHub for active threats and noted that the README claimed the code had been "rebuilt into a working fork with 'unlocked' enterprise features and no message limits." That framing is the social engineering: it gives a developer a reason to want to run the binary. GitHub's trusted-domain status does the rest. Defenders routinely whitelist GitHub-hosted downloads, and attackers have learned to treat that trust signal as an attack surface.

The Claude Code bait was part of a broader rotating lure operation active since February 2026, impersonating more than 25 software brands while delivering the same Rust-compiled infostealer payload. The Rust-compiled dropper was not incidental. Rust malware increased approximately 300% in 2024, and traditional antivirus detects only around 40% of it because signature-based engines lack recognizable patterns from Rust's unique binary output. A Rust binary is also a plausible artifact in AI agent tooling workflows, which provides camouflage by default. The leaked source additionally surfaced CVE-2025-59536 and CVE-2026-21852, covering remote code execution and API key exfiltration via malicious repo configs and MCP servers, both of which Zscaler ThreatLabz noted became far easier to weaponize with full source visibility.

When cloning anything that surfaced around a trending security event, verify the repository owner's account age, commit history, and confirmed upstream identity before running anything locally. For Rust projects, run `cargo audit` against your dependency tree and `cargo vet` on any new additions before merging them. Pin dependencies to specific commit hashes rather than mutable tags: the Trivy supply-chain attack demonstrated that 75 existing tags in a widely-used repository can be force-pushed in a single campaign. Execute unfamiliar binaries in a sandboxed environment with no credential access and no network egress to production systems. Treat every GitHub Release the same way you would treat an unsigned binary handed to you by a stranger, because structurally that is exactly what it is.

If you already executed ClaudeCode_x64.exe or anything from a fake "leaked Claude Code" archive, rotate everything the machine had access to immediately: API keys, GitHub tokens, SSH keys, and any secrets stored in shell history or .env files. Check for unexpected outbound SOCKS5 connections, which signal GhostSocks establishing proxy infrastructure on your machine. Vidar Stealer 2.0's multithreaded architecture runs parallel exfiltration routines at execution time, so assume all stored credentials were taken, not just the ones you consider sensitive. Reimage the machine before returning it to any environment with production access.

The attack surface for this campaign expanded the moment Chaofan Shou's disclosure spread, and the attackers were faster than the defenders. That speed is the pattern: any high-profile, trending developer artifact becomes bait within hours, and the repos that look most legitimate will catch the most developers.