Home
News
Details

Claude Code Source Code Leak Triggers GitHub Phishing Attacks with Vidar Malware

icon MarsBit
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
A phishing attack on GitHub is spreading following the leak of the Claude Code source code, with hackers distributing Vidar malware through fake repositories. The malware steals browser credentials, cryptocurrency wallet data, and personal information. Attackers use Proof of Work (PoW)-related lures, such as “enterprise feature unlocks,” to entice victims. Malicious packages are updated frequently and can bypass basic security checks. Developers should rely exclusively on official Anthropic channels.

According to reports on April 2, the leak of Claude Code source code due to an Anthropic human error continues to escalate. Hackers are currently exploiting this incident by distributing a malware called Vidar, designed to steal information, through fake repositories on GitHub.

Bait upgrade: Claims to “unlock enterprise-level features”

Monitoring reports from cybersecurity company Zscaler show that a user named idbzoomh created multiple fake repositories on GitHub.

  • Precise phishing: The hacker claimed in the repository description to offer leaked source code that "unlocks enterprise features," luring developers eager to try new features to download it.

  • SEO optimization: To increase their reach, attackers optimized malicious repositories for keywords related to search engines, causing these harmful repositories to appear at the top of search results for terms like “Claude Code leak.”

image.png

Malware Profile: Vidar Infiltration, Data Relocation

Once the user believes it and downloads and runs the executable file, the system will quickly be compromised:

  • Information theft: The embedded Vidar is a highly sophisticated malware prevalent on the dark web, specifically designed to steal browser credentials, cryptocurrency wallets, and other sensitive personal information.

  • Persistent Persistence: The virus also deploys the GhostSocks proxy tool to establish a covert channel for subsequent remote control and data exfiltration.

Risk Warning: Be cautious of "free lunches" from unofficial sources.

Security researchers have noted that these fake repositories' malicious compressed files are updated with extremely high frequency, making them easy to evade basic security detection. At least two repositories with similar techniques have been identified, suggesting that the same attacker is testing different distribution strategies.

Industry Insight: The Chain of AI Security Risks

From Anthropic’s source code packaging error to hackers exploiting the incident for phishing attacks, this event highlights the complexity of security risks in the AI era. When developer communities become targets, basic digital literacy—avoiding execution of binaries from unknown sources—remains the final line of defense.

The editor reminds developers: Please obtain tools exclusively through Anthropic’s official channels, and do not fall into traps meticulously designed by hackers out of curiosity or a desire for “cracked features.”

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.