Threat actors are exploiting the Claude Code source code leak by posting fake GitHub repositories that deliver the Vidar information-stealing malware to users seeking the leak. Zscaler researchers found a malicious repo by user “idbzoomh” that uses SEO to rank for leak queries and distributes a 7‑Zip archive whose Rust dropper ClaudeCode_x64.exe installs Vidar and the GhostSocks proxy. #Vidar #ClaudeCode
Keypoints
- Anthropic accidentally exposed 513,000 lines of unobfuscated TypeScript via a 59.8 MB source map in an npm package.
- The leaked code revealed Claude Code’s orchestration logic, permissions, execution systems, and other security-related internals.
- Threat actors created SEO-optimized fake GitHub repositories—including one by user “idbzoomh”—to lure users searching for the leak.
- Downloaded archives contain a Rust executable (ClaudeCode_x64.exe) that drops the Vidar infostealer and the GhostSocks proxy.
- Zscaler observed frequent updates to the malicious archives and a second repository likely run by the same actor, indicating ongoing delivery experimentation.