Claude Code Leak Used to Push Infostealer Malware on GitHub

Threat actors are moving quickly to exploit the recent Claude Code source code leak, setting up fake GitHub repositories that impersonate the leaked source code to deliver the Vidar information-stealing malware to developers and security researchers who search for the exposed code.

The campaign was reported by BleepingComputer on April 2, 2026, and follows a well-established playbook: when a high-profile source code leak generates broad developer interest, attackers create lookalike repositories to intercept that interest and redirect it toward malware delivery.

How the Attack Works

1. Anthropic's Claude Code source code leaked via npm packaging error (late March 2026)
2. Developers and researchers search GitHub for "claude-code source" or related terms
3. Attackers create fake GitHub repositories with convincing names:
   - e.g. "claude-code-source", "anthropic-claude-leaked", "claude-code-internal"
4. Repositories contain README files with enticing descriptions of the leaked code
5. Users download ZIP archives or follow install instructions from the fake repos
6. Payloads deliver Vidar infostealer, which silently harvests credentials
7. Stolen data exfiltrated to attacker-controlled infrastructure

The repositories are designed to appear credible through several techniques:

• Plausible naming that matches search queries around the Claude Code leak
• Seeded star counts inflated through compromised or sockpuppet accounts
• README files that reference legitimate news coverage of the leak to build authenticity
• Staged commit history to simulate a development timeline
• Misleading licence files and folder structures that mimic legitimate source repositories

Vidar Infostealer Payload

The malware payload used in this campaign is Vidar, a well-documented information-stealing malware sold as malware-as-a-service in underground markets. Vidar is capable of stealing:

For developers — the primary target audience lured by Claude Code content — the stakes are particularly high. Developer workstations typically hold:

• Cloud provider credentials (AWS, GCP, Azure keys and tokens)
• NPM and GitHub publish tokens with package and repository write access
• Production database connection strings in IDE configurations
• Private keys and certificates used for code signing and deployment
• Corporate VPN credentials and internal system access tokens

A successful Vidar infection from a developer endpoint can rapidly escalate into a supply chain incident if the stolen credentials include npm publish tokens or GitHub personal access tokens.

Attacker Speed and Scale

The campaign illustrates how quickly threat actors operationalise high-profile security events. Within days of the Claude Code leak becoming public news, attackers had:

1. Identified the event as a lure opportunity
2. Built credible-looking fake repositories
3. Set up Vidar delivery infrastructure
4. Begun distributing the malicious content

This rapid operationalisation is consistent with organised cybercriminal groups that maintain standing infrastructure and playbooks for deploying lure-based malware campaigns around breaking news events.

Who Is at Risk

This campaign specifically targets:

• Developers and engineers curious about Claude Code's internals after reading about the leak
• Security researchers investigating the source exposure
• AI/ML practitioners interested in how Claude Code's tool execution layer is implemented
• GitHub power users who reflexively clone or star repositories in their area of interest

The technical audience — typically more sophisticated than average users — is targeted precisely because of the value of their credentials, not despite their technical knowledge.

Immediate Response

Check for Fake Repos You May Have Cloned

# Review recently cloned GitHub repositories
git config --global --list | grep -i claude
ls ~/repos/ | grep -i claude
 
# Check git remote origins for any suspicious repositories
git -C <suspect-repo> remote -v

Scan Your System

# Run your endpoint security tool immediately if you cloned any
# unverified Claude Code repository in the past week.
# Vidar drops to:
# - %APPDATA%\<random_folder>\ on Windows
# - Creates scheduled tasks or registry run keys for persistence

Rotate Credentials if Exposed

If you cloned a repository from an unknown source and executed any scripts from it:

# Immediately rotate:
# 1. GitHub personal access tokens
npm token list && npm token revoke <id>
gh auth token
 
# 2. AWS/cloud provider credentials
aws iam create-access-key
aws iam delete-access-key --access-key-id <old-key>
 
# 3. NPM publish tokens
# Navigate to: https://www.npmjs.com/settings/<username>/tokens
 
# 4. Any API keys stored in browser profiles or IDE config
# Treat all credentials on the affected machine as compromised

Verify Legitimate Claude Code Source

The only legitimate source for Claude Code is through official Anthropic channels. There is no official public GitHub repository for the Claude Code source code. Any repository claiming to be the "leaked source" should be treated as potentially malicious.

# Install Claude Code only from the official npm package
npm install -g @anthropic-ai/claude-code
 
# Verify package integrity
npm audit signatures

GitHub's Response

GitHub's security team has been notified of the fake repository campaign. GitHub has previously demonstrated the ability to rapidly take down repositories used in malware distribution campaigns, though new repositories may continue to be created as takedowns occur.

Report suspicious repositories using GitHub's built-in reporting mechanism: Report repository → Malware or virus.

Broader Pattern: Lure-Based Malware After Leaks

This campaign fits a consistent pattern in the threat landscape:

Developer curiosity about leaked source code is a reliable and recurring attack surface. Security teams should include awareness training covering this threat pattern as part of developer security programs.

Source: BleepingComputer — April 2, 2026