Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

cybersecuritynews.com · lschueller · 3 days ago · view on HN · research
quality 9/10 · excellent
0 net
Tags
google malware node pentest rce supply-chain
Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware Linkedin Naver RSS Twitter Home Threats Cyber Attacks Vulnerabilities Breaches Top 10 Search Cyber Security News Latest Cyber Security News Monday, April 6, 2026 Linkedin RSS Twitter Google News Google News Cyber Security News Latest Cyber Security News Home Threats Cyber Attacks Vulnerabilities Breaches Top 10 Follow on LinkedIn Search Home Cyber Security News Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware The cybersecurity community is on high alert following a massive source code leak from Anthropic. On March 31, 2026, the company accidentally exposed the complete source code for Claude Code , its flagship terminal-based coding assistant. The leak occurred due to a packaging error in a public npm package, which inadvertently included a JavaScript source map file containing over half a million lines of unobfuscated TypeScript. While the exposed data did not include model weights or user data, it did reveal highly sensitive internal mechanisms. Almost immediately after security researcher Chaofan Shou publicly disclosed the incident on social media, the codebase was mirrored across GitHub and forked tens of thousands of times. Google search results for leaked Claude Code on GitHub returning a malicious repository (Source: Zscaler) The widespread availability of the proprietary code has created a massive vector for supply chain attacks. Cybercriminals are now actively weaponizing this incident, creating malicious forks designed to compromise developer workstations. Zscaler ThreatLabz researchers recently discovered a highly deceptive campaign leveraging the leak as a social engineering lure to target developers seeking access to the source code. Malicious GitHub repository using the leaked Claude Code source as a lure (Source: Zscaler) Delivering Vidar and GhostSocks Malware In this newly discovered campaign, attackers have established malicious GitHub repositories that masquerade as the authentic leaked repository. One prominent page, published by a threat actor named idbzoomh, currently ranks near the top of search engine results for users attempting to find the files. Malicious GitHub repository using the leaked Claude Code source as a lure (Source: Zscaler) The repository promises an unlocked version of the enterprise software featuring no usage limits. Instead of legitimate code, the provided zip archive contains a Rust-based dropper executable. Upon execution, this dropper deploys the Vidar information stealer to siphon sensitive credentials and GhostSocks to proxy network traffic. This deployment of GhostSocks closely mirrors previously observed campaigns where threat actors utilized fake software installers to distribute network proxies alongside data-stealing malware. Additional GitHub repository hosting the same Claude Code leak lure with a “Download ZIP” button. (Source: Zscaler) The exposure of these internal components presents severe risks that extend far beyond simple social engineering lures. The leaked files reveal complex orchestration details, permission execution layers, persistent memory systems, and dozens of hidden internal feature flags. Because the original codebase includes advanced capabilities for local shell execution and auto-executing scripts, threat actors possessing the full source can easily craft precise exploits. Attackers can potentially trigger silent device takeovers or credential theft simply by tricking a developer into cloning an untrusted repository or opening a specially crafted project file. Mitigation and Defense Strategies Organizations must implement immediate defensive measures to protect their development environments from these opportunistic attacks. Security teams should strongly advise all developers against downloading, building, or running any code claiming to be the leaked Anthropic software. Relying strictly on official channels and signed binaries is essential for maintaining integrity. Furthermore, implementing a Zero Trust architecture and segmenting access to critical applications will help limit the potential blast radius if a developer workstation becomes compromised. Monitoring for anomalous outbound network connections and scanning local environments for unexpected npm packages are critical steps for identifying early signs of infection. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLES MORE FROM AUTHOR Cyber Security News CISA Adds TrueConf Vulnerability to KEV Catalog Following Active Exploitation Cyber Security 2,000+ FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the Wild Cyber Security Google DeepMind Researchers Warn Hackers Can Hijack AI Agents Through Malicious Web Content Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026 Follow us Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Linkedin RSS Twitter Google News Google News Cybersecurity News Home About Us Contact Us Privacy Policy Latest news CISA Adds TrueConf Vulnerability to KEV Catalog Following Active Exploitation Cyber Security News April 6, 2026 The Cybersecurity and Infrastructure Security Agency (CISA) has officially... 2,000+ FortiClient EMS Instances Exposed Online Amid Active RCE Vulnerability Exploits in the Wild Cyber Security April 6, 2026 The Shadowserver Foundation has issued an urgent warning to... Google DeepMind Researchers Warn Hackers Can Hijack AI Agents Through Malicious Web Content Cyber Security April 6, 2026 Researchers at Google DeepMind have published a comprehensive study... CISO Corner Apex – AI-Powered Pentester Attacks Apps in Black-Box Mode to Find Vulnerabilities Cyber Security March 20, 2026 Apex is an autonomous, AI-powered penetration testing agent designed... Betterleaks – A New Open-Source Tool to Scan Directories, Files, and Git Repositories Cyber Security News March 16, 2026 The creator of the widely popular Gitleaks tool has... Kali Linux Integrates Claude AI for Penetration Testing via Model Context Protocol Cyber Security February 26, 2026 Kali Linux has officially introduced a native AI-assisted penetration... © Copyright 2026 - Cyber Security News
← Back to stories