Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do

MITRE Techniques

• [T1105] Ingress Tool Transfer – Used to deliver malware via GitHub release assets: ‘deliver payloads via a release asset.’
• [T1566] Phishing (Social Engineering) – The campaign used social engineering lures and urgency tied to the Claude Code leak to entice downloads: ‘social engineering techniques that prey on alarm and urgency.’
• [T1555.003] Credentials from Web Browsers – Malware components harvest browser-stored credentials and session tokens: ‘harvest Chrome credentials, browser extensions, cryptocurrency wallets, and system information.’
• [T1090] Proxy – GhostSocks establishes a SOCKS5 proxy on infected hosts to tunnel traffic and enable residential proxy abuse: ‘establish a SOCKS5 proxy on the victim’s machine.’
• [T1055] Process Injection – Detection rules reference process injection behavior used by the malware: ‘Detects process injection behavior.’
• [T1059.001] Command and Scripting Interpreter: PowerShell – The dropper and components may spawn encoded PowerShell, detected/blocked by protections: ‘Prevents spawning of encoded PowerShell.’
• [T1547] Boot or Logon Autostart Execution – Malware persistence observed via autorun-style behavior: ‘Detects non-whitelisted processes that exhibit self-propagation and persistence via autorun.’
• [T1071.001] Application Layer Protocol: Web Protocols – C2 and malware accomplice activity observed and blocked via web reputation: ‘URL Access Blocked – C&C Server.’
• [T1218] Signed Binary Proxy Execution / Fileless Techniques – The campaign uses multi-stage fileless loader chains executing in memory to evade detection: ‘executes entirely in memory using a multi-stage fileless loader chain to evade detection.’