{ "id": "9c33737a-9bdf-4f2b-a60a-fb8effd4b2ec", "created_at": "2026-05-06T02:03:19.499157Z", "updated_at": "2026-05-06T02:03:52.707214Z", "deleted_at": null, "sha1_hash": "93b5b20be20b15693ad88b3a0e51da857d8df7b4", "title": "Anthropic Claude Code Leak | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 718285, "plain_text": "Anthropic Claude Code Leak | ThreatLabz\r\nBy Manisha Ramcharan Prajapati, Jithin Prajeev Nair, Avinash Kumar, Mallikarjun Piddannavar\r\nPublished: 2026-04-01 · Archived: 2026-05-06 02:01:01 UTC\r\nThreatLabz discovers “Claude Code leak” lure that distributes Vidar and\r\nGhostSocks\r\nWhile monitoring GitHub for threats, ThreatLabz came across a “Claude Code leak” repository published by\r\nidbzoomh (links located in the IOC section). The repository looks like it’s trying to pass itself off as leaked\r\nTypeScript source code for Anthropic’s Claude Code CLI. The README file even claims the code was exposed\r\nthrough a .map file in the npm package and then rebuilt into a working fork with “unlocked” enterprise features\r\nand no message limits. \r\nThe repository link appears near the top of Google results for searches like “leaked Claude Code,” which makes it\r\neasy for curious users to encounter, as shown in the figure below.\r\nFigure 1: Google search results for leaked Claude Code on GitHub returning a malicious repository.\r\nhttps://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak\r\nPage 1 of 4\n\nFigure 2: Malicious GitHub repository using the leaked Claude Code source as a lure.\r\nThe malicious ZIP archive in the repository’s releases section is named Claude Code - Leaked Source Code (.7z).\r\nThe archive includes ClaudeCode_x64.exe, a Rust-based dropper. On execution, the ClaudeCode_x64.exe drops\r\nVidar v18.7 and GhostSocks. Vidar is an information stealer and GhostSocks is used to proxy network traffic. In\r\nearly March, another security vendor reported a similar campaign where GitHub was being used to deliver the\r\nsame payload.\r\nThe threat actor keeps updating the malicious ZIP archive in short intervals. At the time of analysis, ThreatLabz\r\nobserved that there were two ZIP archives updated in the releases section in a short timeframe. The figure below\r\nshows the first ZIP archive ThreatLabz encountered which was updated about 13 hours ago.\r\nhttps://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak\r\nPage 2 of 4\n\nFigure 3: GitHub repository using the Claude Code leak as a lure to distribute malicious ZIP archives.\r\nThreatLabz also identified the same GitHub repository hosted under another account (located in the IOC section)\r\nthat contains identical code and appears to be committed by the same threat actor, idbzoomh.\r\nUnlike the earlier repository, this one does not include a releases section. The README file displays a prominent\r\n“Download ZIP” button. However, it does not link to any compiled binary or an archive and was non-functional at\r\nthe time of analysis. The figure below shows the repository and non-functional button.\r\nhttps://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak\r\nPage 3 of 4\n\nFigure 4: Additional GitHub repository hosting the same Claude Code leak lure with a “Download ZIP” button.\r\nSource: https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak\r\nhttps://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "report_names": [ "anthropic-claude-code-leak" ], "threat_actors": [], "ts_created_at": 1778032999, "ts_updated_at": 1778033032, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93b5b20be20b15693ad88b3a0e51da857d8df7b4.pdf", "text": "https://archive.orkl.eu/93b5b20be20b15693ad88b3a0e51da857d8df7b4.txt", "img": "https://archive.orkl.eu/93b5b20be20b15693ad88b3a0e51da857d8df7b4.jpg" } }