Fake Claude Code Repos Spread Credential-Stealing Malware After Source Leak

A misconfigured npm package from Anthropic's Claude Code coding assistant gave threat actors all the cover they needed: within 24 hours of a packaging error leaking nearly 60 megabytes of unobfuscated TypeScript source, criminals had stood up fake GitHub repositories bundled with credential-stealing malware.

Security researchers at Trend Micro, whose findings were published April 3, traced the chain of events to a missing or misconfigured .npmignore and source-map configuration in a late March 2026 package release. The error caused Anthropic's upload to include a 59.8 MB map file that pointed directly back to the original TypeScript sources, making the underlying code readable to anyone who downloaded it. Mirrored copies proliferated on GitHub within hours of the exposure.

What distinguished the campaign from routine copycat activity was the weaponization of the leak itself as a lure. The fake repositories did not simply repost the exposed source. They bundled or outright replaced download archives with Rust-compiled payloads that installed Vidar infostealer and GhostSocks proxy malware on victim machines. Vidar harvests browser credentials, session tokens, and stored passwords; GhostSocks establishes persistent proxy tunnels through infected hosts. Threat actors exploited GitHub Releases as the delivery mechanism, a trusted channel that security filters often treat as low-risk.

Trend Micro's analysts noted that the operation was not purpose-built for this incident. The same rotating lure infrastructure had been impersonating multiple software brands since at least February 2026, giving attackers an established distribution pattern to slot Claude Code into. Disposable accounts and large trojanized archives were rotated to survive takedown requests, and the researchers flagged that DMCA-style removal efforts can produce collateral damage without stopping determined adversaries who spin up replacements rapidly.

The researchers quoted in the analysis wrote that "this incident signifies that security compromise doesn't always come from software vulnerabilities: it can also come from human and organizational gaps," framing the packaging error as a governance failure as much as a technical one. They urged organizations adopting agentic AI tools to treat software supply-chain hygiene as critical infrastructure, not an afterthought.

Recommended mitigations from Trend Micro include blocking the specific indicators of compromise the team documented, monitoring for unusual GitHub Release download patterns, strictly controlling allowed install paths for developer tooling, and applying content filtering to downloads from public repositories. The researchers argued that enterprises should prioritize detection and isolation of suspicious artifacts rather than relying on vendor takedowns to do the work of defense.

The episode arrives at a moment when developer-oriented AI tools are moving into enterprise pipelines at speed. A single configuration error at the packaging stage translated into an active, multi-malware campaign in less than a day, underscoring how little time defenders have to respond once internal code surfaces in public channels.