Claude Code leak used to push infostealer malware on GitHub
Attackers Weaponize Claude Code Leak to Distribute Vidar Malware via Fake GitHub Repos
TL;DR
Cybercriminals are exploiting recent interest in leaked Claude Code source code by creating fake GitHub repositories that deliver Vidar information-stealing malware instead of the promised code. This campaign demonstrates how threat actors quickly pivot to exploit trending topics in the developer community.
What Happened
According to BleepingComputer, threat actors have established multiple fraudulent GitHub repositories claiming to contain leaked source code from Anthropic's Claude Code project. Instead of delivering the promised code, these repositories serve as distribution points for Vidar, a well-established information-stealing malware family.
The campaign capitalizes on developer curiosity about the alleged leak, using GitHub's trusted platform and professional-looking repository layouts to appear legitimate. Users seeking access to the leaked code are instead infected with malware designed to harvest credentials, browser data, and other sensitive information.
Technical Analysis
Vidar is a commodity infostealer-as-a-service that has been active since 2018. The malware typically operates by:
- Extracting stored credentials from browsers, email clients, and applications
- Harvesting cryptocurrency wallet data
- Collecting system information and installed software details
- Exfiltrating files from targeted directories
The use of GitHub as a distribution mechanism is particularly concerning because developers routinely download and execute code from the platform. The fake repositories likely contain executable files disguised as source code archives or installation scripts that deploy Vidar when run.
This attack vector exploits the trust relationship between developers and GitHub, combined with the urgency created by leaked source code availability. The repositories may use convincing naming conventions, detailed README files, and even fake commit histories to appear authentic.
Impact & Who's Affected
This campaign primarily targets:
- Software developers interested in AI/ML code
- Security researchers investigating the leak
- Anyone in the tech community following Claude Code developments
Successful infections could result in:
- Theft of development credentials and API keys
- Compromise of source code repositories
- Loss of cryptocurrency and financial data
- Corporate network infiltration if work devices are affected
The use of GitHub as an attack vector is particularly dangerous because it bypasses many traditional security awareness training scenarios that focus on email attachments or suspicious websites.
What You Should Do
Immediate Actions:
- Avoid downloading any repositories claiming to contain leaked Claude Code
- Scan systems with updated antivirus if you've accessed suspicious repositories
- Change passwords and revoke API tokens if compromise is suspected
Ongoing Security Measures:
- Verify repository authenticity before downloading code, especially for trending/leaked content
- Use dedicated development environments isolated from production systems
- Enable GitHub's security features like dependency scanning and secret detection
- Implement endpoint detection and response (EDR) tools that can identify infostealer behavior
For Organizations:
- Brief development teams on this specific threat
- Consider implementing policies around downloading code from unverified sources
- Monitor for indicators of Vidar infections across developer workstations
The Bigger Picture
This campaign illustrates how quickly cybercriminals adapt to exploit current events and trending topics. The targeting of developers is particularly concerning given their privileged access to source code, production systems, and sensitive credentials.
The incident also highlights GitHub's dual role as both a critical development platform and potential attack vector. While GitHub has security measures in place, the platform's open nature makes it challenging to prevent all malicious repositories from appearing.
Organizations should expect similar campaigns targeting developers around future high-profile leaks or announcements. The combination of social engineering, trusted platforms, and developer curiosity creates an effective attack vector that traditional security training may not adequately address.
Source: BleepingComputer analysis of ongoing GitHub-based malware campaign