Claude Code Source Leak Weaponized: Fake GitHub Repos Spreading Vidar Malware to Developers

The Claude Code source leak we covered last week has escalated from embarrassment to active threat. Attackers are now using the leaked source code as bait to distribute Vidar v18.7 info-stealer and GhostSocks proxy malware through fake GitHub repositories.

The Attack Chain

The sequence is textbook social engineering amplified by a real-world event:

  1. March 31: Anthropic’s Claude Code v2.1.88 npm package accidentally ships source maps containing ~513,000 lines of unobfuscated TypeScript across 1,906 files
  2. Within days: A GitHub user (“idbzoomh1”) creates a repository claiming to have reconstructed the leaked code into a functional fork with “enterprise features and unlimited messages”
  3. The payload: The repository’s release section contains a malicious ZIP archive (Claude Code Leaked Source Code.7z) with a Rust-based executable (ClaudeCode_x64.exe)
  4. On execution: The binary drops Vidar v18.7 (information stealer) and GhostSocks (network traffic redirector)

Zscaler researchers observed the threat actor uploading multiple versions of the malicious archive in rapid succession. A second account (“my3jie”) was found hosting identical code — likely the same operator or group.

Why It Works

The attack is effective because the underlying event is real. The Claude Code source was actually leaked. Developers searching for the leaked code find repositories that look legitimate because they reference real file paths, real feature flags, and real internal project names (KAIROS, Capybara) from the actual leak.

This isn’t the first attack vector exploiting the leak:

  • Push Security had already warned about fake Claude Code installation pages appearing in Google Search results and distributing malware
  • The Cyware daily threat briefing on April 3 confirmed active exploitation

Vidar + GhostSocks: What Gets Stolen

Vidar v18.7 is a well-established information stealer that harvests:

  • Browser saved passwords and cookies
  • Cryptocurrency wallet files and seed phrases
  • Two-factor authentication tokens
  • System information and screenshots
  • FTP/SSH credentials

GhostSocks redirects victim network traffic through attacker-controlled proxies, enabling:

  • Credential reuse attacks appearing to originate from the victim’s IP
  • Bypassing location-based security controls
  • Persistent access even after Vidar’s one-shot exfiltration

For developers — who typically have access to production credentials, CI/CD pipelines, cloud provider keys, and source repositories — this combination is devastating.

The Supply Chain Echo Effect

This attack demonstrates a pattern we’ve tracked repeatedly this year: a single security incident creates cascading downstream attacks.

The sequence across March-April 2026:

  1. Claude Code npm leak exposes source
  2. Fake repos weaponize the leak with malware
  3. Compromised developer machines potentially expose production environments
  4. Those environments may contain API keys, model credentials, or infrastructure access

Each step amplifies the blast radius. This is exactly what happened with TeamPCP/LiteLLM → Mercor — a supply-chain compromise in AI infrastructure that cascaded into a $10 billion company’s data breach.

Protection for OpenClaw Users

OpenClaw users interact with the same developer ecosystem being targeted. Practical steps:

  • Never download “leaked” source code from random GitHub repos — this is a classic malware distribution vector
  • Verify any AI tool installation against official channels (Anthropic’s official npm package, OpenClaw’s official repository)
  • Run endpoint detection on development machines — Vidar is well-known and detected by most modern EDR
  • Rotate credentials if you’ve downloaded anything claiming to be Claude Code from unofficial sources
  • Check for GhostSocks indicators: unusual outbound proxy connections, unexpected SOCKS traffic

Anthropic’s Bad Month Continues

This is now the third major security event for Anthropic in under two weeks:

  1. Claude Mythos leak (Mar 26-27): Most powerful unreleased model exposed via misconfigured CMS
  2. Claude Code npm source leak (Mar 31): Full 513K-line TypeScript codebase, feature flags, internal codenames
  3. Vidar malware campaign (Apr 1-3): Leak weaponized for active developer targeting

The pattern shows how quickly information leaks compound into operational security threats. Each incident provides attackers with more authentic material to craft convincing lures.

Sources: News4Hackers, Zscaler Research, Cyware Daily Threat Intelligence April 3, 2026, Push Security