Claude · The Register
Fake Claude Code source downloads actually delivered malware
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
Tens of thousands of people eagerly downloaded the leaked Claude Code source code this week, and some of those downloads came with a side of credential-stealing malware.
Key facts
- While that was no longer the case at The Register 's time of publication, at least two of the developer's trojanized Claude Code source leak repos remained on GitHub, and one of them had 793 forks
- The malicious.7z archive in the repository's releases section is named Claude Code
- Leaked Source Code, and it includes a Rust-based dropper named ClaudeCode_x64.exe
- They added that the GitHub repository link appeared near the top of Google results for searches like "leaked Claude Code
- Zscaler's ThreatLabz researchers came across the repo while monitoring GitHub for threats, and said it's disguised as a leaked TypeScript source code for Anthropic's Claude Code CLI
Summary
A malicious GitHub repository published by idbzoomh uses the Claude Code exposure as a lure to trick people into downloading malware, including Vidar, an infostealer that snarfs account credentials, credit card data, and browser history; and GhostSocks, which is used to proxy network traffic. Zscaler's ThreatLabz researchers came across the repo while monitoring GitHub for threats, and said it's disguised as a leaked TypeScript source code for Anthropic's Claude Code CLI. "The README file even claims the code was exposed through a.map file in the npm package and then rebuilt into a working fork with 'unlocked' enterprise features and no message limits," the security sleuths said in a Thursday blog. They added that the GitHub repository link appeared near the top of Google results for searches like "leaked Claude Code.