Alert Across the Internet! Claude Code Source Code Leak Triggers "Secondary Disaster": Hackers Set GitHub Phishing Traps

marsbitPublished on 2026-04-03Last updated on 2026-04-03

Abstract

A major security alert is circulating online following the accidental leak of Claude Code's source code by Anthropic. Hackers are exploiting the incident by creating fake GitHub repositories that distribute the information-stealing malware known as **Vidar**. Posing as a user named `idbzoomh`, the threat actor set up multiple repositories claiming to offer "unlocked enterprise features" from the leaked source code. These repositories are optimized for search engines to appear at the top of results for queries like “Claude Code leak,” increasing their reach. If a user downloads and executes the provided files, the Vidar malware is deployed. It is a sophisticated stealer designed to harvest sensitive data such as browser credentials, cryptocurrency wallets, and personal information. The attack also installs **GhostSocks**, a proxy tool that establishes hidden communication channels for remote control and data exfiltration. Security firm Zscaler notes that these malicious repositories update frequently, making it easier to bypass basic security scans. At least two similar repositories have been identified, suggesting the same attacker is testing different distribution methods. This incident highlights the compound risks in the AI era, where initial human error leads to secondary threats like social engineering. Developers are urged to obtain software only through official channels and avoid executing untrusted binaries.

According to an April 2nd report, the Claude Code source code leak incident caused by an Anthropic human error continues to escalate. Currently, hackers have exploited this hot topic to spread information-stealing malware named Vidar via fake repositories on GitHub.

Upgraded Bait: Claiming to "Unlock Enterprise-Level Features"

Monitoring reports from security company Zscaler show that a user named idbzoomh has created multiple fake repositories on GitHub.

  • Precision Phishing: The hacker claims in the repository description to provide leaked source code that "unlocks enterprise features," luring eager developers to download it.

  • SEO Optimization: To maximize the impact, the attackers optimized for search engine keywords, causing these malicious repositories to often rank at the top when users search for terms like "Claude Code leak".

Virus Profile: Vidar Infiltrates, Data "Relocated"

Once users are deceived into downloading and executing the contained executable files, the system is quickly compromised:

  • Information Theft: The implanted Vidar is a highly mature malware on the dark web, specifically designed to harvest browser account passwords, cryptocurrency wallets, and various types of sensitive personal information.

  • Persistent Latency: The virus also simultaneously deploys the GhostSocks proxy tool, setting up a secret channel for subsequent remote control and data exfiltration.

Risk Warning: Beware of "Free Lunches" from Unofficial Channels

Security researchers point out that the malicious compressed files in these fake repositories are updated at an extremely high frequency, making them easy to bypass basic security detection. At least two repositories with similar tactics have been discovered so far, suspected to be tests of different propagation strategies by the same attacker.

Industry Observation: The "Chain Set" of AI Security

From Anthropic's source code packaging mistake to hackers secondarily exploiting the hot topic for phishing, this incident reflects the complexity of security risks in the AI era. When the developer community becomes the target of attacks, basic digital literacy—not running binaries from unknown sources—remains the last line of defense.

Editors remind all developers: Please be sure to obtain tools through official Anthropic channels. Do not fall into the traps carefully designed by hackers out of curiosity or the pursuit of "cracked features."

Related Questions

QWhat is the primary malware being distributed through the fake GitHub repositories related to the Claude Code leak?

AThe primary malware being distributed is called Vidar, which is a sophisticated information-stealing malware known for harvesting browser credentials, cryptocurrency wallets, and other sensitive personal data.

QHow are the attackers making their fake GitHub repositories more visible to potential victims?

AThe attackers are using Search Engine Optimization (SEO) techniques by including popular keywords like 'Claude Code leak' in the repository descriptions, causing these malicious repositories to appear at the top of search results.

QWhat additional tool does the Vidar malware deploy on an infected system to maintain persistence and enable data exfiltration?

AThe Vidar malware also deploys a tool called GhostSocks, which is a proxy utility that creates a secret channel for remote control and ongoing data exfiltration from the compromised system.

QWhat human error at Anthropic initially led to the situation that hackers are exploiting?

AThe initial event was a source code leak of Claude Code caused by a human error at Anthropic, where the code was mistakenly made available, creating the opportunity for hackers to use it as a lure.

QWhat is the main advice from security researchers to developers to avoid falling victim to these traps?

AThe main advice is to only obtain tools through official Anthropic channels and to avoid downloading or running binary files from unverified sources, emphasizing that basic digital hygiene is the last line of defense.

Related Reads

From Aluminum To Bitcoin: Alcoa To Sell Dormant Plant To NYDIG

Alcoa is in advanced talks to sell its dormant Massena, New York aluminum smelter to Bitcoin mining firm NYDIG, with a deal expected to close by mid-2026. The site, idle since 2014, is attractive due to its existing heavy-duty electrical infrastructure, including substations and grid connections capable of handling massive power loads, as well as access to low-cost hydroelectric power from the New York Power Authority. This follows a trend of crypto and data center firms repurposing deindustrialized sites for their built-in infrastructure. While many miners are diversifying into AI, NYDIG is doubling down on Bitcoin, having recently acquired Crusoe Energy's mining operations. The Massena deal represents a significant expansion of its Bitcoin-focused strategy.

bitcoinist10m ago

From Aluminum To Bitcoin: Alcoa To Sell Dormant Plant To NYDIG

bitcoinist10m ago

Crypto Regulation: Polish Parliament Fails To Overturn Presidential Veto Again

Poland's Parliament has again failed to override President Karol Narcowski's veto of the Crypto Asset Market Act, which aimed to align national regulations with the EU's MICA framework. The vote fell short of the required majority, marking the second unsuccessful attempt to pass the legislation. The President has consistently opposed the bill, citing overregulation, ambiguity, and increased burdens on small businesses. Government ministers criticized the veto, with the Finance Minister warning that the lack of regulation fosters a risky environment for investors. Prime Minister Donald Tusk also accused Poland's largest crypto exchange, Zondacrypto, of having alleged ties to Russian intelligence and funding opposition politicians, linking these concerns to the legislative push. The government has vowed to continue its efforts to pass the bill.

bitcoinist2h ago

Crypto Regulation: Polish Parliament Fails To Overturn Presidential Veto Again

bitcoinist2h ago

Hong Kong Crypto Scam Shock: Woman Loses Nearly $1 Million As AI Fraud Surges

Hong Kong Crypto Scam Shock: Woman Loses Nearly $1 Million As AI Fraud Surges A Hong Kong woman lost HK$7.7 million (approximately $982,000) after being lured into a fraudulent cryptocurrency investment platform. The scam began on Telegram, where a person posing as an investment expert promoted an AI-powered trading strategy with guaranteed returns. After making 17 transfers of USDT and Ethereum, the victim was unable to withdraw her funds. Hong Kong Police have reported a significant surge in such online investment fraud, with over 80 cases recorded in a single week, totaling losses of nearly HK$80 million. Authorities warn that scammers are increasingly using sophisticated tactics, including promises of "AI trading" and "guaranteed profits," to appear credible. This follows a similar incident last month where a retiree lost HK$6.6 million in a multi-stage scam. Police urge the public to be cautious of unsolicited investment advice and to verify platforms through the official CyberDefender service before transferring any money. They emphasize that no legitimate investment can guarantee returns. Investigations are ongoing.

bitcoinist6h ago

Hong Kong Crypto Scam Shock: Woman Loses Nearly $1 Million As AI Fraud Surges

bitcoinist6h ago

a16z New Article: Prediction Markets Entering the Fast-Forward Phase

Prediction markets are evolving from niche tools focused on elections and sports into a broader financial infrastructure for pricing real-world uncertainty. Key shifts include: application expansion beyond sports into entertainment, macro, and CPI markets; the creation of direct price benchmarks for events (e.g., tariffs, Fed decisions), enabling precise hedging without correlated asset risks; and growing institutional adoption, though still early-stage. While sports drive volume, long-tail markets show faster growth. Current institutional use is primarily for data, but progression toward system integration and active trading is expected. Regulatory advancements, like margin trading, are critical for scaling. The market is transitioning toward an essential, institutional-grade tool, similar to the evolution of options markets.

marsbit8h ago

a16z New Article: Prediction Markets Entering the Fast-Forward Phase

marsbit8h ago

Kyrgyzstan President Meets Justin Sun, Tron Collaborates with Kyrgyzstan to Build a New Digital Economy Landscape in Central Asia

Justin Sun, founder of TRON, met with Kyrgyzstan President Sadyr Japarov in Bishkek to discuss digital financial transformation, virtual asset regulation, and TRON’s strategic expansion into Central Asia. This marks TRON's first major partnership in the region. President Japarov emphasized Kyrgyzstan’s goal to become a regional hub for virtual assets and Web3 technologies, aligning with TRON’s strengths in high-throughput, low-cost stablecoin infrastructure. Sun expressed TRON’s commitment to supporting this vision through concrete projects. Japarov also highlighted the work of the National Committee for Virtual Assets and Blockchain Development, which he chairs. The committee has advanced initiatives including exploring a national stablecoin, testing a CBDC, and developing a regulatory sandbox. The meeting underscores growing international interest in Kyrgyzstan’s digital economy strategy.

marsbit8h ago

Kyrgyzstan President Meets Justin Sun, Tron Collaborates with Kyrgyzstan to Build a New Digital Economy Landscape in Central Asia

marsbit8h ago

Trading

Spot
Futures
活动图片

Hot Categoriesright-arrow

Hot Tagsright-arrow