The spread of Claude Code's source code has opened a window of opportunity that threat actors did not let slip away.

Just days after the packaging incident that exposed the entire TypeScript codebase of Anthropic's terminal client on March 31, fake repositories appeared on GitHub designed to distribute malware to those attempting to download the leaked code.

How the original leak occurred

We discussed the "leak" of Claude Code's source in recent days: version 2.1.88 of the npm package @anthropic-ai/claude-code mistakenly included a 59.8 MB JavaScript source map file, a debug artifact that mapped production code back to the original TypeScript source, pointing to a publicly accessible zip archive on Anthropic's own Cloudflare R2 bucket. The result: 513,000 lines of unobfuscated TypeScript distributed over 1,906 files, including the agent orchestration logic, permission systems, hidden features, build details, and components related to internal security.

Claude code source code has been leaked via a map file in their npm registry!
Code: https://t.co/jBiMoOzt8G

— Chaofan Shou (@Fried_rice)
March 31, 2026

Anthropic confirmed this incident as a human error in the packaging release process, emphasizing that no sensitive customer data or credentials were involved. The company removed the package from the npm registry, but in the meantime, the code had already been downloaded massively and uploaded to GitHub, with repositories gathering tens of thousands of forks and stars in just a few hours. Security researcher Chaofan Shou was among the first to report the leak on X, triggering an avalanche effect in the developer ecosystem that criminals quickly monetized.

The trap on GitHub: Vidar and GhostSocks

According to Zscaler's ThreatLabz report, the GitHub user "idbzoomh" published a repository claiming to be the authentic leak, with a README stating that they had extracted the code from the .map file in the npm package and reconstructed it into a functional fork with "enterprise features unlocked" and no message limits. The repository was optimized for search engines and appeared among the top results on Google for queries like "leaked Claude Code", lowering the access threshold for the curious.

Those who downloaded the archive found a 7-Zip file named "Claude Code - Leaked Source Code", containing ClaudeCode_x64.exe, a dropper written in Rust. Upon execution, the binary installs two distinct components: Vidar v18.7 and GhostSocks. Vidar is a commodity infostealer that collects credentials, credit card data, and browser history; GhostSocks, on the other hand, routes network traffic through the compromised device, turning it into a proxy node that criminals exploit to mask their origins or conduct further illicit activities through third-party machines.

A malicious repository appears among Google search results - Source: Zscaler

Zscaler also identified a second repository with identical code, again linked to the user "idbzoomh". Unlike the first, it did not include a releases section but displayed a prominent "Download ZIP" button that was non-functional at the time of analysis. Researchers speculate that the actor was experimenting with alternative distribution strategies, with the second repository serving as a test version or fallback.

Updated archive, variable payloads

A particularly concerning element is the frequency with which the malicious archive is updated: ThreatLabz observed multiple versions of the file distributed in short intervals, with two different ZIPs present in the releases section not far apart in time. This behavior suggests an active infrastructure, potentially capable of distributing different payloads in subsequent iterations, making detection solely based on static hashes difficult.

A pattern already seen, and not just with Claude Code

The campaign follows a pattern already established in other circumstances. Huntress had previously documented in March 2026 a similar operation based on fake installers of OpenClaw on GitHub, which distributed the same GhostSocks as the main payload. The overlap of tools employed suggests that part of the infrastructure may be shared between different campaigns, or that the same operator acts on multiple fronts exploiting any event of high media interest as a distribution vector.

It is also worth noting the temporal coincidence with another incident: according to Bitcoin.com, March 31 coincided with a separate attack on the npm supply chain that involved the axios package, which was compromised between 00:21 and 03:29 UTC. Those who installed or updated Claude Code via npm during that window are encouraged to audit their dependencies and rotate credentials. Anthropic itself now recommends using its native installer instead of npm for tool installation.

GitHub remains a structurally difficult malware distribution vector to counter: the speed of repository creation, the perceived authority of the platform, and the ease with which search results are manipulated continue to ensure a conversion rate sufficient to make these campaigns economically viable for threat actors. The exploit of the Claude Code leak is the latest demonstration of this.