Claude Code leak abused to spread Vidar on GitHub

The Claude Code leak turned into a malware magnet almost immediately. On March 31, Anthropic accidentally exposed a 59.8 MB JavaScript source map in an npm package, and researchers say attackers were already using the buzz to push Vidar infostealer payloads through fake GitHub repositories.

That is the part worth paying attention to: the leak itself was serious, but the speed of the follow-on abuse is the real story. A public code slip became search bait, and search bait became a delivery channel for malware aimed at curious developers, security researchers, and anyone who wanted a copy of the leaked tool.

Claude Code is Anthropic’s terminal-based AI agent for coding tasks. It runs in the terminal, interacts with the system directly, handles LLM API calls, integrates with MCP, and keeps persistent memory. That makes it useful, but it also means the source code reveals a lot about how the agent thinks, acts, and gets permission to do things.

What leaked, and why attackers cared

According to the report, the accidental exposure included 513,000 lines of unobfuscated TypeScript spread across 1,906 files. That is a lot of implementation detail for a product still fresh in the market, and it gave outsiders a look at orchestration logic, permissions, execution paths, hidden features, build details, and security internals.

Once that kind of code hits public circulation, two groups move fast. Legitimate developers inspect it for insight, while attackers look for a way to turn the attention into traffic. In this case, the lure was simple: fake a “leak,” promise unlocked features, and let curiosity do the rest.

Zscaler says one malicious repository, published by a user named idbzoomh, claimed to offer an “unlocked enterprise” version with no restrictions. The repository was also tuned for search visibility, and it surfaced near the top of Google results for queries such as “leaked Claude Code.”

• Source map exposed: 59.8 MB
• TypeScript lines disclosed: 513,000
• Files exposed: 1,906
• Malicious archive payload: 7-Zip file with ClaudeCode_x64.exe

The technical trick is old, but the packaging is current. Attackers do not need a clever exploit when they can attach malware to a story people already want to click.

How the fake repo delivered Vidar

The malicious repository offered a downloadable archive that looked like the leaked code. Inside was a Rust-based executable called ClaudeCode_x64.exe. Once launched, the dropper installed Vidar along with GhostSocks, a tool used for proxying network traffic.

Vidar is a familiar name in incident response circles. It is a commodity information stealer that targets browser data, stored credentials, session cookies, and other details that can be monetized quickly. In practice, that can mean stolen logins, access to cloud accounts, and footholds for follow-on intrusion.

“There is a sucker born every minute.” — P. T. Barnum

The quote is old, but the lesson fits this campaign. Attackers did not need to break GitHub’s security controls to get results. They needed a believable story, a search-friendly repository name, and a payload wrapped in the kind of archive people download when they are rushing to inspect a leak.

Zscaler also found that the archive was being updated frequently, which suggests the operator was iterating on delivery. That matters because it shows the campaign was not a one-off prank. It looked like an active malware operation using the Claude Code leak as a traffic source.

Why GitHub keeps getting abused

GitHub is a natural target for this kind of abuse because developers trust it, search engines index it heavily, and many people associate it with legitimate open-source distribution. That combination makes it useful for attackers who want their payloads to look normal long enough for someone to download them.

This is also not a new trick. BleepingComputer notes that in late 2025, threat actors used repositories that claimed to host proof-of-concept exploits for newly disclosed vulnerabilities. The pattern is consistent: attach malware to something people are already hunting for, then let urgency override caution.

• Attack surface: search results, GitHub pages, downloadable archives
• Payload chain: fake leak repo → archive download → dropper execution → Vidar and GhostSocks
• Target profile: developers, security researchers, and malware-curious users
• Distribution tactic: SEO-optimized repository text and naming

That last point matters more than it gets credit for. A lot of malware campaigns still depend on email or drive-by downloads, but this one used search intent as the entry point. If a user already believes they are looking for leaked Claude Code source, the malicious repo feels like a shortcut rather than a warning sign.

GitHub has added more security features over time, and GitHub Security continues to push protections for code scanning and dependency safety. Even so, the platform remains a useful distribution layer for attackers because trust is partly social, not just technical.

What this says about AI tools and security hygiene

The bigger lesson here is not about one leak or one stealer. It is about how fast the security story around AI tools is becoming part of the attack surface. When a new coding agent gets attention, attackers start thinking about the people who want it, the people who study it, and the people who will download almost anything that looks like an early release.

That makes source hygiene more than an engineering detail. A stray source map, an exposed package artifact, or a public build misstep can create a chain reaction that ends with malware distribution. The issue is amplified when the product is tied to developer workflows, since developers are trained to move quickly and inspect code with a high degree of trust.

For teams that build or use AI coding tools, the practical response is straightforward: audit package publishing steps, check what gets included in release artifacts, and treat “leaked” downloads as hostile until proven otherwise. If a repo promises hidden features, extra access, or a rare build that nobody else has, that is exactly the moment to stop.

For readers following similar incidents, OraCore’s related coverage on the Claude Code npm leak and fake VS Code alerts on GitHub shows the same playbook from different angles. The product changes, but the social engineering pattern stays stubbornly similar.

What happens next

My guess is that this campaign will not be the last time a leaked AI tool becomes bait for a stealer. The cost of setting up a convincing GitHub repo is low, the payoff can be high, and search engines make it easy for attackers to catch people in the first wave of curiosity.

If you are a developer, the safest move is boring and effective: verify the source, inspect the publisher, and avoid downloading “leaks” from repositories that were created yesterday. If you run security awareness for a team, this is a good example to show that the first risk after a public leak is often social, not technical. The code may have been exposed by accident, but the compromise usually starts when someone clicks because they want to see what got out.