low

Claude Code leak used to push infostealer malware on GitHub

April 6, 2026·BleepingComputer·Threat Intel
malwaregithubsocial-engineeringinfostealersupply-chain

Attackers Weaponize Claude Code Leak to Distribute Vidar Malware via Fake GitHub Repos

TL;DR

Cybercriminals are exploiting recent interest in leaked Claude Code source code by creating fake GitHub repositories that deliver Vidar information-stealing malware instead of the promised code. This campaign demonstrates how threat actors quickly pivot to exploit trending topics in the developer community.

What Happened

According to BleepingComputer, threat actors have established multiple fraudulent GitHub repositories claiming to contain leaked source code from Anthropic's Claude Code project. Instead of delivering the promised code, these repositories serve as distribution points for Vidar, a well-established information-stealing malware family.

The campaign capitalizes on developer curiosity about the alleged leak, using GitHub's trusted platform and professional-looking repository layouts to appear legitimate. Users seeking access to the leaked code are instead infected with malware designed to harvest credentials, browser data, and other sensitive information.

Technical Analysis

Vidar is a commodity infostealer-as-a-service that has been active since 2018. The malware typically operates by:


The use of GitHub as a distribution mechanism is particularly concerning because developers routinely download and execute code from the platform. The fake repositories likely contain executable files disguised as source code archives or installation scripts that deploy Vidar when run.

This attack vector exploits the trust relationship between developers and GitHub, combined with the urgency created by leaked source code availability. The repositories may use convincing naming conventions, detailed README files, and even fake commit histories to appear authentic.

Impact & Who's Affected

This campaign primarily targets:


Successful infections could result in:


The use of GitHub as an attack vector is particularly dangerous because it bypasses many traditional security awareness training scenarios that focus on email attachments or suspicious websites.

What You Should Do

Immediate Actions:


Ongoing Security Measures:

For Organizations:

The Bigger Picture

This campaign illustrates how quickly cybercriminals adapt to exploit current events and trending topics. The targeting of developers is particularly concerning given their privileged access to source code, production systems, and sensitive credentials.

The incident also highlights GitHub's dual role as both a critical development platform and potential attack vector. While GitHub has security measures in place, the platform's open nature makes it challenging to prevent all malicious repositories from appearing.

Organizations should expect similar campaigns targeting developers around future high-profile leaks or announcements. The combination of social engineering, trusted platforms, and developer curiosity creates an effective attack vector that traditional security training may not adequately address.

Source: BleepingComputer analysis of ongoing GitHub-based malware campaign

← All Threat IntelSource: BleepingComputer