Full Report
Source code with a side of Vidar stealer and GhostSocks Tens of thousands of people eagerly downloaded the leaked Claude Code source code this week, and some of those downloads came with a side of credential-stealing malware.…
Analysis Summary
# Incident Report: Trojanized Claude Code Source Leak
## Executive Summary
Threat actors leveraged a high-profile "leaked" source code event for Anthropic’s Claude Code CLI to distribute malware via GitHub. By promising a feature-unlocked version of the tool, attackers successfully tricked tens of thousands of users into downloading a Rust-based dropper that delivers the Vidar infostealer and GhostSocks proxy malware. The campaign successfully utilized Search Engine Optimization (SEO) to place malicious repositories at the top of Google search results.
## Incident Details
- **Discovery Date:** April 2, 2026 (Reported)
- **Incident Date:** Late March – April 2026
- **Affected Organization:** General public/Developers (Lure: Anthropic Claude Code)
- **Sector:** Information Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Late March 2026
- **Vector:** Phishing/Social Engineering via GitHub
- **Details:** Attackers created a repository (idbzoomh) claiming to host the "leaked" TypeScript source code for Anthropic's Claude Code CLI, allegedly reconstructed from a `.map` file.
### Lateral Movement
- **Details:** Not applicable in this context; the malware focuses on local host compromise and credential harvesting rather than internal network pivoting, though GhostSocks may facilitate external traffic proxying.
### Data Exfiltration/Impact
- **Details:** Vidar malware harvested account credentials, credit card data, and browser history. GhostSocks installed a proxy listener to monetize the victim's bandwidth or hide criminal traffic.
### Detection & Response
- **Detection:** Discovered by Zscaler ThreatLabz during routine GitHub threat monitoring.
- **Response:** Public disclosure by Zscaler and *The Register*; reporting of malicious repositories to GitHub for takedown.
## Attack Methodology
- **Initial Access:** Trojanized software repository; SEO poisoning (appearing at the top of Google search results).
- **Persistence:** Not explicitly detailed in the article, but typical for Vidar via registry keys or startup folder placement.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Use of a Rust-based dropper (`ClaudeCode_x64.exe`) to bypass signature-based detection; hosting on a legitimate platform (GitHub).
- **Credential Access:** Vidar v18.7 used for snarfing browser-stored passwords and credit card data.
- **Discovery:** Not specified.
- **Lateral Movement:** N/A.
- **Collection:** Automated collection of system metadata, browser history, and sensitive credentials.
- **Exfiltration:** Exfiltration of stolen data to attacker-controlled C2 servers.
- **Impact:** Financial theft via credit card data; establishment of a residential proxy botnet using GhostSocks.
## Impact Assessment
- **Financial:** High potential loss for individuals due to stolen credit card and bank credentials.
- **Data Breach:** Compromise of sensitive developer credentials (SSH keys, API tokens often stored in browsers).
- **Operational:** System performance degradation due to proxy activities; potential for victims to be blacklisted as their IPs are used for illicit transit.
- **Reputational:** Minor for Anthropic (brand impersonation); Significant for GitHub (as a distribution platform).
## Indicators of Compromise
- **Network Indicators:**
- GitHub Repo: `github[.]com/idbzoomh`
- **File Indicators:**
- `Claude Code - Leaked Source Code.7z` (Malicious archive)
- `ClaudeCode_x64.exe` (Rust-based dropper)
- **Behavioral Indicators:**
- Unexpected outbound traffic on proxy-related ports.
- Presence of Vidar v18.7 artifacts in `%AppData%` or `%LocalLow%`.
## Response Actions
- **Containment:** Removal of malicious repositories from GitHub.
- **Eradication:** Users must terminate `ClaudeCode_x64.exe` processes and perform a full system wipe to remove GhostSocks and Vidar.
- **Recovery:** Users are advised to rotate all passwords and cancel credit cards if the executable was run.
## Lessons Learned
- **Key Takeaways:** Attackers are increasingly using Rust to write droppers for better AV evasion. High-interest AI tool releases provide a "golden window" for social engineering.
- **Improvement:** Better real-time monitoring of GitHub for "trending" repositories that use impersonation keywords (e.g., "Leaked," "Unlocked").
## Recommendations
- **Verification:** Only download developer tools from official sources (e.g., Anthropic’s official NPM or GitHub).
- **Security Hygiene:** Treat "leaked" or "unlocked" software as 100% malicious by default.
- **Endpoint Protection:** Utilize EDR solutions capable of detecting Rust-based compiled binaries and unauthorized proxy listeners.
- **Credential Management:** Use a dedicated Password Manager rather than storing credentials in the web browser.