Claude Code Leak Exploited: Fake GitHub Repos Push Infostealers

The recent leak of Claude Code has rapidly become a lure for malicious actors. Threat actors are capitalizing on the attention surrounding the leaked code by creating fake repositories on GitHub. These impostor repositories masquerade as ‘open-source’ or ‘upgraded’ versions of Claude Code, but their true purpose is to distribute malware, specifically the Vidar infostealer.

Users searching for ‘leaked Claude Code’ might encounter these deceptive repositories high in search results. Downloading and executing a file like ‘ClaudeCode_x64.exe’ from such a source can lead to the deployment of Vidar and GhostSocks. These tools are designed to steal sensitive information and exfiltrate traffic, often through proxying. Security researchers at Zscaler have linked this activity to repositories published by a user identified as ‘idbzoomh’.

This incident serves as a critical reminder that not every code leak, especially those found on platforms like GitHub, is a valuable resource. Sometimes, what appears to be a legitimate release is merely a Trojan horse, hiding malicious payloads beneath a veneer of open-source accessibility. Vigilance is paramount when engaging with leaked or unverified code.