Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Home/CyberSecurity News/Attackers Exploit Leaked Claude AI Code to Spread Vidar and GhostSocks Malware
CyberSecurity News

Attackers Exploit Leaked Claude AI Code to Spread Vidar and GhostSocks Malware

Key Takeaways Anthropic’s Claude Code, a terminal-based AI coding assistant, had its complete source code accidentally leaked on March 31, 2026. Threat actors are exploiting the leak by creating...

Jennifer sherman
Jennifer sherman
April 4, 2026 3 Min Read
60 0

Key Takeaways

  • Anthropic’s Claude Code, a terminal-based AI coding assistant, had its complete source code accidentally leaked on March 31, 2026.
  • Threat actors are exploiting the leak by creating malicious GitHub repositories that distribute the Vidar information stealer and GhostSocks proxy malware to unsuspecting developers.
  • The exposed internal mechanisms of Claude Code could enable sophisticated supply chain attacks and silent device takeovers.
  • Organizations must implement immediate defensive measures, including developer education and enhanced security protocols, to mitigate risks.

A significant security incident has emerged following the accidental exposure of Anthropic’s flagship terminal-based coding assistant, Claude Code. On March 31, 2026, the artificial intelligence company inadvertently made the complete source code for its AI assistant publicly accessible, triggering a wave of concern across the cybersecurity landscape.

Table Of Content

  • Key Takeaways
  • Delivering Vidar and GhostSocks Malware
  • What You Should Do

The leak stemmed from a packaging error within a public npm package. This misstep led to the inclusion of a JavaScript source map file, which contained over half a million lines of un-obfuscated TypeScript code. While the exposed data did not encompass sensitive elements like model weights or user information, it did reveal intricate internal operational mechanisms of the AI system.

The incident quickly escalated after security researcher Chaofan Shou publicly announced the breach on social media. The proprietary codebase was subsequently mirrored across numerous GitHub repositories and forked tens of thousands of times, making it widely available to the public and, critically, to malicious actors.

The widespread accessibility of this internal code has created a substantial new avenue for supply chain attacks. Cybercriminals have swiftly moved to weaponize the incident, establishing malicious forks of the repository designed to compromise the workstations of developers seeking access to the leaked information.

Researchers at Zscaler ThreatLabz recently uncovered a highly sophisticated campaign actively exploiting this leak. The campaign employs social engineering tactics, luring developers under the guise of providing access to the leaked Claude Code source.

Delivering Vidar and GhostSocks Malware

In this newly identified threat campaign, attackers have established deceptive GitHub repositories that meticulously mimic the authentic leaked Claude Code repository. One such malicious page, attributed to a threat actor operating under the alias “idbzoomh,” has achieved high visibility in search engine results, making it easily discoverable by developers looking for the leaked files.

The repository falsely promises an “unlocked” version of the enterprise software, touting features like unlimited usage. However, instead of legitimate code, the provided zip archive contains a Rust-based dropper executable. When executed, this dropper deploys two critical pieces of malware: the Vidar information stealer, designed to exfiltrate sensitive credentials, and GhostSocks, a tool used to proxy network traffic.

The deployment of GhostSocks in this campaign bears a striking resemblance to previous attack patterns, where threat actors distributed network proxies alongside data-stealing malware through fake software installers.

Beyond the immediate threat of social engineering lures, the exposure of Claude Code’s internal components presents severe long-term risks. The leaked files detail complex orchestration processes, permission execution layers, persistent memory systems, and dozens of hidden internal feature flags. Given that the original codebase incorporates advanced capabilities for local shell execution and auto-executing scripts, threat actors who possess the full source code are now in a prime position to craft highly precise exploits. This could potentially enable silent device takeovers or credential theft, triggered simply by tricking a developer into cloning an untrusted repository or opening a specially crafted project file.

What You Should Do

  • Educate Developers: Strongly advise all development teams against downloading, building, or running any code purporting to be the leaked Anthropic software from unofficial sources.
  • Rely on Official Channels: Emphasize the importance of strictly using official channels and signed binaries for all software and updates to maintain integrity.
  • Implement Zero Trust and Segmentation: Deploy a Zero Trust architecture and segment access to critical applications and development environments to limit the potential impact of a compromised workstation.
  • Monitor for Anomalies: Continuously monitor for anomalous outbound network connections and regularly scan local environments for unexpected npm packages or other unauthorized software installations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Node.js Maintainers Targeted in Sophisticated Social Engineering Attack

Next Post

Critical Progress ShareFile Flaws Let Attackers Hijack Servers Remotely

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us