Malware News Anthropic Claude Code Source‑Code Leak and Its Abuse as Malware‑Distribution Vector

[Khushal]

Content source

https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak

Anthropic Claude Code Leak | ThreatLabz

ThreatLabz examines Anthropic’s Claude Code leak, and a lure being used to spread Vidar and GhostSocks malware.

www.zscaler.com

​

On March 31, 2026, Anthropic accidentally exposed the full source code of Claude Code (its flagship terminal-based AI coding agent) through a 59.8 MB JavaScript source map (.map) file bundled in the public npm package @anthropic-ai/claude-code version 2.1.88. A security researcher, Chaofan Shou (@Fried_rice), publicly disclosed Anthropic’s leak on X which triggered an immediate viral response.

The leaked file contained approximately 513,000 lines of unobfuscated TypeScript across 1,906 files, revealing the complete client-side agent harness, according to online publications. Within hours, the codebase was downloaded from Anthropic’s own Cloudflare R2 bucket, mirrored to GitHub, and forked tens of thousands of times. Thousands of developers, researchers, and threat actors are actively analyzing, forking, porting to Rust/Python and redistributing it. Some of the GitHub repositories have gained over 84,000 stars and 82,000 forks. Anthropic has issued Digital Millennium Copyright Act (DMCA) notices on some mirrors, but the code is now available across hundreds of public repositories.

In addition to discussing the Anthropic leak, this blog post also covers a “Claude Code leak” lure delivering Vidar and Ghostsocks malware that was discovered and analyzed by the Zscaler ThreatLabz team.

 

[Bot]

Short answer

I would treat that post carefully and not assume every claim in it is accurate just because it is written in a polished way.

What can be said safely

• A source map accidentally published in a package can expose a lot of readable source code. That part is technically plausible.
• If code was exposed publicly, mirrors and reposts can appear very quickly. That is also plausible in general.
• The malware-lure part is a separate issue from the alleged source-code exposure. Attackers often use trending news topics as bait.

What should not be assumed without verification

• The exact package version, file size, number of files, and line counts
• Claims about “complete” source code exposure
• Statements about how many forks, stars, or mirrors exist
• Whether threat actors are actively using the leaked code in a meaningful way
• Any implied conclusion that the coding agent itself is now unsafe to use

Those details need confirmation from primary sources, not just secondary write-ups.

Important security point

Even if a client-side code leak happened, that does not automatically mean Anthropic’s backend systems, models, customer data, or API secrets were compromised. Client/tooling source exposure and backend compromise are very different things.

On the malware angle

The safer takeaway is this:

• Do not download “leaked Claude Code” builds, repacks, cracks, or mirrors from random GitHub repositories or file-sharing sites.
• Do not run scripts or installers promoted through X, Telegram, Discord, or YouTube comments.
• If someone wants to inspect a package, do it in an isolated test environment and verify hashes/signatures where possible.
• Scan suspicious archives with reputable security tools and check multi-engine results on VirusTotal

Practical conclusion

The Zscaler post may contain useful research, but the forum should separate three different claims:

• an alleged source-map exposure
• public redistribution of exposed code
• malware campaigns abusing the news as a lure

They are related by topic, but they are not the same event. The safest conclusion is to verify the original package history and official vendor statements before treating the more dramatic claims as established fact, and to avoid downloading any unofficial “leak” material.

 

[ForgottenSeer 123960]

Executive Summary
On March 31, 2026, Anthropic accidentally exposed the source code for its Claude Code CLI tool via an npm package .map file. Threat actors are actively using the public interest in this leak as a social engineering lure, distributing malicious GitHub repositories that deliver Vidar infostealer and GhostSocks proxy malware. While the leak itself is a confirmed operational security failure by Anthropic, the assessment is that the primary risk to organizations stems from developers manually executing untrusted, trojanized forks of this code.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1195.001
(Supply Chain Compromise: Software Dependencies and Development Tools)

T1204.001
(User Execution: Malicious Link/File)

T1090
(Proxy).

CVE Profile
N/A [NVD Score: None]
[CISA KEV Status: Inactive].
(The incident involves exposed proprietary code and social engineering, not a distinct software vulnerability).

Telemetry

Hashes
d8256fbc62e85dae85eb8d4b49613774
(Initial archive)

"9a6ea91491ccb1068b0592402029527f"
(Vidar v18.7)

3388b415610f4ae018d124ea4dc99189 (GhostSocks).

IPs
"147.45.197[.]92":443
94.228.161[.]88:443 (GhostSocks C2).

URLs hxxps://steamcommunity[.]com/profiles/76561198721263282 (Vidar C2).

Constraint
The structure suggests that the malware relies entirely on user interaction (manual download and execution) rather than remote code execution.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue immediate communications to development teams prohibiting the download, cloning, or execution of "leaked Claude Code" repositories.

Command
Educate developers that leaked code is not "open source" and remains dangerous to run unmodified.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM and EDR for connections to the known GhostSocks C2 IPs (147.45.197[.]92, 94.228.161[.]88) and Vidar hashes.

Command
Monitor developer workstations for anomalous outbound connections or unexpected Node.js/Bun child processes.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any endpoint that has cloned repositories matching idbzoomh1, leaked-claude-code, or my3jie.

RECOVER (RC) – Restoration & Trust

Command
Reimage confirmed compromised developer workstations.

Command
Validation of clean state for all proprietary source code accessed by the compromised user.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement Zero Trust architecture and prioritize segmenting mission critical application access from development environments.

Command
Enforce the use of official channels and signed binaries only.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you have cloned or executed unauthorized GitHub repositories claiming to contain "Claude Code."

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and MFA tokens for critical accounts using a known clean device (e.g., a phone on a cellular network), as Vidar specifically targets credentials and session tokens.

Priority 3: Persistence

Command
Conduct a full system scan with reputable antivirus tools to identify infostealers.

Command
Check Scheduled Tasks and Startup Folders for persistent binaries.

Hardening & References

Baseline
CIS Benchmarks for Developer Workstations.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Zscaler ThreatLabz

 

[Halp2001]

For the home user, what deserves attention is the source of the software you install. When news breaks about code leaks, attackers often take advantage by disguising malware as “leaked versions” or clones of legitimate apps. That means anyone can get caught if they download without verifying.

Practical steps help avoid trouble:

• Always install from official sources, never from random links shared on forums or social media.
• Be skeptical of supposed “leaked apps” or alternative versions of AI tools.
• Keep your antivirus and browser updated to block suspicious execution attempts.

In short, daily discipline at home remains the best defense, because these campaigns rely on curiosity and carelessness to spread.