Alert Across the Internet! Claude Code Source Code Leak Triggers "Secondary Disaster": Hackers Set GitHub Phishing Traps

marsbitPublicado a 2026-04-03Actualizado a 2026-04-03

Resumen

A major security alert is circulating online following the accidental leak of Claude Code's source code by Anthropic. Hackers are exploiting the incident by creating fake GitHub repositories that distribute the information-stealing malware known as **Vidar**. Posing as a user named `idbzoomh`, the threat actor set up multiple repositories claiming to offer "unlocked enterprise features" from the leaked source code. These repositories are optimized for search engines to appear at the top of results for queries like “Claude Code leak,” increasing their reach. If a user downloads and executes the provided files, the Vidar malware is deployed. It is a sophisticated stealer designed to harvest sensitive data such as browser credentials, cryptocurrency wallets, and personal information. The attack also installs **GhostSocks**, a proxy tool that establishes hidden communication channels for remote control and data exfiltration. Security firm Zscaler notes that these malicious repositories update frequently, making it easier to bypass basic security scans. At least two similar repositories have been identified, suggesting the same attacker is testing different distribution methods. This incident highlights the compound risks in the AI era, where initial human error leads to secondary threats like social engineering. Developers are urged to obtain software only through official channels and avoid executing untrusted binaries.

According to an April 2nd report, the Claude Code source code leak incident caused by an Anthropic human error continues to escalate. Currently, hackers have exploited this hot topic to spread information-stealing malware named Vidar via fake repositories on GitHub.

Upgraded Bait: Claiming to "Unlock Enterprise-Level Features"

Monitoring reports from security company Zscaler show that a user named idbzoomh has created multiple fake repositories on GitHub.

Precision Phishing: The hacker claims in the repository description to provide leaked source code that "unlocks enterprise features," luring eager developers to download it.
SEO Optimization: To maximize the impact, the attackers optimized for search engine keywords, causing these malicious repositories to often rank at the top when users search for terms like "Claude Code leak".

Virus Profile: Vidar Infiltrates, Data "Relocated"

Once users are deceived into downloading and executing the contained executable files, the system is quickly compromised:

Information Theft: The implanted Vidar is a highly mature malware on the dark web, specifically designed to harvest browser account passwords, cryptocurrency wallets, and various types of sensitive personal information.
Persistent Latency: The virus also simultaneously deploys the GhostSocks proxy tool, setting up a secret channel for subsequent remote control and data exfiltration.

Risk Warning: Beware of "Free Lunches" from Unofficial Channels

Security researchers point out that the malicious compressed files in these fake repositories are updated at an extremely high frequency, making them easy to bypass basic security detection. At least two repositories with similar tactics have been discovered so far, suspected to be tests of different propagation strategies by the same attacker.

Industry Observation: The "Chain Set" of AI Security

From Anthropic's source code packaging mistake to hackers secondarily exploiting the hot topic for phishing, this incident reflects the complexity of security risks in the AI era. When the developer community becomes the target of attacks, basic digital literacy—not running binaries from unknown sources—remains the last line of defense.

Editors remind all developers: Please be sure to obtain tools through official Anthropic channels. Do not fall into the traps carefully designed by hackers out of curiosity or the pursuit of "cracked features."

Preguntas relacionadas

QWhat is the primary malware being distributed through the fake GitHub repositories related to the Claude Code leak?

AThe primary malware being distributed is called Vidar, which is a sophisticated information-stealing malware known for harvesting browser credentials, cryptocurrency wallets, and other sensitive personal data.

QHow are the attackers making their fake GitHub repositories more visible to potential victims?

AThe attackers are using Search Engine Optimization (SEO) techniques by including popular keywords like 'Claude Code leak' in the repository descriptions, causing these malicious repositories to appear at the top of search results.

QWhat additional tool does the Vidar malware deploy on an infected system to maintain persistence and enable data exfiltration?

AThe Vidar malware also deploys a tool called GhostSocks, which is a proxy utility that creates a secret channel for remote control and ongoing data exfiltration from the compromised system.

QWhat human error at Anthropic initially led to the situation that hackers are exploiting?

AThe initial event was a source code leak of Claude Code caused by a human error at Anthropic, where the code was mistakenly made available, creating the opportunity for hackers to use it as a lure.

QWhat is the main advice from security researchers to developers to avoid falling victim to these traps?

AThe main advice is to only obtain tools through official Anthropic channels and to avoid downloading or running binary files from unverified sources, emphasizing that basic digital hygiene is the last line of defense.

Lecturas Relacionadas

Stuck Polymarket: The Real Test After Riding the Traffic Boom Has Arrived

Polymarket, a leading prediction market platform, is facing significant technical challenges as its growth outpaces its current infrastructure on Polygon. Users are experiencing laggy transactions, unresponsive orders, and delayed confirmations, severely impacting the trading experience. In response, DeFi Engineering VP Josh Stevens outlined a comprehensive engineering overhaul. The plan includes reducing on-chain data delays, fixing order cancellation issues, rebuilding the central limit order book (CLOB), improving website performance, and developing a unified SDK and API. A major revelation was the ongoing "chain migration," indicating a potential move away from Polygon. The core issue is that Polymarket has evolved from a simple prediction market into a high-frequency trading platform, making Polygon's limitations—such as block space, gas fees, and block time—a ceiling for further growth. The migration is not just a simple chain switch but a fundamental rebuild of its trading system to support more complex products like perpetual contracts (Perps). This announcement has sparked competition among chains like Solana, Sui, and Algorand, all vying to host Polymarket. For Polygon, losing this key application, which contributes significantly to its gas fee revenue, would be a major setback. The real test for Polymarket is no longer attracting users but proving it can provide a stable, reliable trading environment that retains them.

Odaily星球日报Hace 17 min(s)

Stuck Polymarket: The Real Test After Riding the Traffic Boom Has Arrived

Odaily星球日报Hace 17 min(s)

Key Lawmaker 'Relents', Wash's Biggest Obstacle to Assuming Fed Chair on May 15 Cleared

Key political opposition to Kevin Warsh's nomination as Federal Reserve Chair has been removed after Senator Thom Tillis (R-N.C.) withdrew his objection, clearing the way for a committee vote on April 29. Tillis had previously blocked the nomination due to a criminal investigation into current Chair Jerome Powell, which he viewed as a threat to Fed independence. The Justice Department has since dropped the investigation. Warsh, who has broad Republican support, is expected to be confirmed by the Senate in time for Powell’s term expiration on May 15. If confirmed, Warsh has signaled significant policy changes, including abolishing the "dot plot" of interest rate projections and reevaluating the Fed’s forward guidance framework. These changes could fundamentally alter the market’s pricing mechanisms for stocks, bonds, and currencies. Although the criminal case against Powell is closed, uncertainty remains as he retains his board seat until 2028. President Trump has not fully endorsed Powell, citing an ongoing review of Fed renovation spending. Warsh’s potential reforms target the communication tools developed post-2008, which have become foundational to global asset pricing.

marsbitHace 41 min(s)

Key Lawmaker 'Relents', Wash's Biggest Obstacle to Assuming Fed Chair on May 15 Cleared

marsbitHace 41 min(s)

Lowering Expectations for BTC's Next Bull Market

The author, Alex Xu, explains his decision to significantly reduce his Bitcoin holdings (from full to ~30% of his portfolio) during the current bull cycle, citing a lowered long-term outlook for BTC's price appreciation in the next cycle. He outlines six key reasons for this reduced expectation: 1. **Diminished Growth Drivers:** The narrative of exponential user adoption has largely played out with institutional ETF adoption. The next major growth phase—adoption by sovereign national reserves or central banks—seems unlikely in the near future. 2. **Personal Opportunity Cost:** More attractive investment opportunities have emerged in other assets, such as undervalued companies. 3. **Industry-Wide Contraction:** The broader crypto industry is struggling, with most Web3 business models (SocialFi, GameFi, DePIN) failing. This overall萧条 (depression) reduces the fundamental demand and consensus for Bitcoin. 4. **Strain on Major Buyer:** MicroStrategy, a major corporate buyer of BTC, faces rising financing expenses for its debt, which could slow its purchasing rate and create significant marginal pressure on the market. 5. **Increased Competition from Gold:** The emergence of "tokenized gold" has closed the functional gap (portability, divisibility) between physical gold and Bitcoin, offering a strong competitor in the non-sovereign store-of-value space. 6. **Security Budget Concerns:** The block reward halving continues to exacerbate the long-standing issue of funding Bitcoin's network security, with new fee source explorations like Ordinals and L2s largely failing. The author's decision to hold a significant (though reduced) position reflects a cautious, not bearish, outlook. He remains open to increasing his exposure if the fundamental reasons for his skepticism change or if new positive catalysts emerge.

marsbitHace 55 min(s)

Lowering Expectations for BTC's Next Bull Market

marsbitHace 55 min(s)

Prediction Markets Cannot Exist Without Insider Trading, But Insider Trading Is Killing Them

Prediction markets face a fundamental contradiction: they rely on insider trading to generate accurate prices, yet this same activity erodes public trust and threatens their survival. Recent scandals, such as a U.S. special forces member making $400,000 on Polymarket using classified information about a raid, highlight the severity of the issue. While platforms like Polymarket and Kalshi market themselves as venues where "everyone is an expert" and encourage informed trading, they also enforce policies against illegal insider trading. The core dilemma is that these markets depend on informed insiders for price efficiency but require uninformed retail participants to provide liquidity. If insider trading is too rampant, retail traders leave, perceiving the market as unfair. If restrictions are too strict, valuable information flow dries up, reducing the market’s predictive utility. The challenge is finding a balance that maintains both accuracy and perceived fairness—a task complicated by regulatory pressures and recurring scandals.

marsbitHace 1 hora(s)

Prediction Markets Cannot Exist Without Insider Trading, But Insider Trading Is Killing Them

marsbitHace 1 hora(s)

Can Iran 'Control' the Strait of Hormuz?

Iran has announced a comprehensive plan to assert control over the strategic Strait of Hormuz, a critical global oil shipping chokepoint. The proposed measures include requiring all vessels to obtain Iranian permission for passage, imposing fees for security, environmental protection, and navigation management—preferably paid in Iranian rials—and absolutely banning Israeli ships. Vessels from countries deemed hostile by Iran’s top security bodies may also be barred. Analysts suggest Iran’s motives are multifaceted: increasing pressure on the U.S. and Israel by leveraging control over oil transit to influence global prices and inflation; creating a new revenue stream, potentially exceeding $7.7 billion annually, to counter Western sanctions and support postwar reconstruction; and using transit permissions as bargaining chips in future negotiations, notably with the U.S. However, the plan faces significant practical and diplomatic challenges. Enforcing comprehensive interception and fee collection in the busy waterway, patrolled by international military forces, would be difficult. The U.S. has already countering with a blockade of Iranian ports and threats to intercept any ship paying fees, potentially strangling Iran’s oil exports and fee revenue. Broad international opposition, led by European and Gulf states, and legal controversies further complicate implementation. The proposal may ultimately serve more as a negotiating tactic than a feasible policy, with its execution remaining highly uncertain.

marsbitHace 2 hora(s)

Can Iran 'Control' the Strait of Hormuz?

marsbitHace 2 hora(s)

Trading

Spot

Futuros