Claude Code Leak Spreads Infostealer Malware via GitHub

A recent leak of Claude Code’s source material has been exploited by cybercriminals, who are now using fraudulent GitHub repositories as a delivery mechanism for the Vidar infostealer. This campaign capitalizes on developer interest in the leaked code to spread a dangerous payload designed to harvest sensitive data from infected systems. Security researchers have observed a clear pattern where attackers create convincing but malicious repositories, often naming them to appear as legitimate forks or related projects.

The Vidar malware is a well-known threat capable of extracting a wide array of information, including saved browser credentials, cryptocurrency wallet data, and system details. By luring users with the promise of accessing the leaked Claude Code, the threat actors trick developers into cloning and executing the malicious code. This method represents a sophisticated form of social engineering, preying on the curiosity and professional needs of the target audience.

Once executed, the malware establishes persistence on the victim’s machine and begins its data exfiltration routines. The use of GitHub, a trusted platform within the developer community, adds a layer of credibility that makes these malicious repositories difficult to identify at a glance. This incident underscores a persistent trend in cyber threats, where attackers leverage current events and trusted platforms to increase the success rate of their campaigns.

Security experts strongly advise developers to exercise extreme caution when interacting with repositories related to high-profile leaks. Verifying the authenticity of a repository’s maintainer, checking for unusual recent commit activity, and scanning downloaded files with updated security software are critical defensive steps. The rapid weaponization of this leak demonstrates how quickly threat actors can adapt to new opportunities, turning a software incident into a widespread security risk.