⚠️ Threat Alert: Fake 'Claude Code Leak' GitHub Repos Dropping Vidar Infostealer Malware
The excitement around the Claude Code source code leak has already attracted threat actors. Security researchers at Zscaler ThreatLabZ have confirmed an active malware campaign on GitHub where attackers are posing as "leak mirrors" offering unlocked enterprise features and no usage restrictions — a lure perfectly calibrated to catch curious developers hunting for the original exposure. The malicious archive delivers Vidar, a commodity infostealer that silently exfiltrates saved credentials, credit card data, and browser history, bundled with GhostSocks, a network traffic proxy that turns the victim's machine into a residential IP relay tied to their developer identity.
The timing is deliberate. Fake repos are appearing near the top of Google search results for "leaked Claude Code," and the archive is being updated regularly to add new payloads and evade signature detection. If you or anyone on your team went searching for the leak in the past 48 hours and downloaded anything outside the official npm registry, treat the machine as compromised: rotate credentials immediately, check for unexpected outbound network connections, and audit recently installed software. The only legitimate source remains npm — npm install -g @anthropic-ai/claude-code@latest. Both identified repositories have been reported to GitHub, but new variants are likely.
This is a predictable second chapter to any high-profile code leak, and it moved unusually fast. The combination of Vidar and GhostSocks is particularly dangerous for developers: GhostSocks gives attackers a residential proxy anchored to a developer's identity, useful for bypassing API rate limiting, evading fraud detection, and staging further attacks under a trusted IP. Stay cautious, and share this alert with teammates who may have been searching.