Inteligencia artificial (IA)
Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do
Threat actors leveraged Anthropic’s Claude Code npm release packaging error to distribute Vidar, GhostSocks, and PureLog Stealer. This blog details immediate steps organizations can take and best practices to prevent further risk.
Save to Folio
Key takeaways:
- Attackers rapidly leveraged the Claude Code packaging error incident to distribute credential-stealing malware using fake GitHub repositories. This demonstrates how quickly threat actors can exploit public attention following a software supply chain incident.
- Vidar, GhostSocks, and PureLog Stealer were observed to have been distributed through the malicious GitHub releases; these payloads enable credential theft, cryptocurrency wallet exfiltration, session hijacking, and residential proxy abuse across Windows.
- TrendAI Vision One™ detects and blocks the IoCs provided at the end of this blog. TrendAI™ customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign.
TrendAI™ Research is continuously monitoring an active campaign that continues to leverage the packaging error in Anthropic's Claude Code npm release to distribute Vidar, GhostSocks, and PureLog Stealer payloads.
The distribution hub for the leaked Claude Code brand lure campaign was identified as https://github[.]com/leaked-claude-code/leaked-claude-code. It is operated by a GitHub account identified as idbzoomh1, who used the legitimate Claude Code source map leak incident as a lure to deliver payloads via a release asset. A previous account, idbzoomh, has been blocked by GitHub. As of publishing there are no other identified repositories connected to the campaign; TrendAI™ Research will update this blog in the event of new findings.
| Type | Value |
| Threat actor email | blactethe1061@outlook.com |
| Threat actor GitHub account | idbzoomh |
| Current Download URL | hxxps[:]//github[.]com/leaked-claude-code/leaked-claude-code/releases/download/leaked-claude-code/Claude_code_x64[.]7z |
| Payload (replaced) | ClaudeCode_x64.7z (active from 2026-03-31 14:05 PST to 2026-04-04 18:00 UTC+8) |
| Payload (replaced) | Claude-Code_x64.7z (active from 2026-04-04 17:36 PST to 2026-04-04 18:00 UTC+8) |
| Payload (current) | Claude_code_x64.7z (533 downloads as of 2026-04-07 18:00 UTC+8) |
Table 1. Distribution artifacts and threat actor identifiers
The social engineering threat became a part of a broader malware distribution campaign that has been active since February 2026. We have observed cycling through more than 25 software brands (e.g., AI tools, crypto bots, and creative software) across trojanized archives, delivering a Rust-compiled dropper payload.
Payloads delivered and impact scope
Different malware payloads were observed to have been distributed through the malicious GitHub releases:
- Vidar is a stealer known to perform multi-threaded data theft targeting browser-stored credentials, cryptocurrency wallets, session tokens, and system information. Stolen data is exfiltrated to attacker-controlled C&C infrastructure resolved through dead drop profiles on Steam Community and Telegram.
- GhostSocks has been observed in previous campaigns to establish a SOCKS5 proxy on the victim's machine, allowing the threat actors to tunnel network traffic through compromised hosts. This effectively turns infected machines into residential proxy infrastructure for further operations.
- PureLog Stealer is a .NET information stealer known to harvest Chrome credentials, browser extensions, cryptocurrency wallets, and system information. It executes entirely in memory using a multi-stage fileless loader chain to evade detection.
The combined functionality of the malware payloads enables credential theft, cryptocurrency wallet exfiltration, session hijacking, and residential proxy abuse across Windows, giving the operators multiple monetization paths from a single infection.
As of April 7, 2026, 18:00 UTC+8, there are 838 stars, 1,060 forks, and 533 confirmed downloads of the new payload archive. It should be noted that there have been previous download links that have been deleted or replaced; the download counts for which cannot be retrieved anymore. The actual download numbers will likely continue to rise.
What organizations should do
TrendAI™ protections
Organizations can take advantage of TrendAI Vision One™, which is equipped with pattern updates, behavioral detections, and web reputation blocks that can help provide protection against this campaign, as well as hunting tools that can be used by customers to investigate potential exposure.
Utilizing Observed Attack Techniques (OAT)
TrendAI Vision One™ customers that use endpoint and server protection solutions may go into the Observed Attack Techniques section of the TrendAI Vision One™ console to look for suspicious activity that may indicate the detection of malicious behavior associated with this threat.
Potential indicators include:
- Execution of Claude with Leaked Version
- Possible Claude Code Related File Download
- AWS Claude Leak UserAgent
- TrojanSpy Malware Detection [F2021]
- Malware Detection [F4986]
- Predictive Machine Learning Detection [F2039]
- Threat Type Prioritization Trojan Detection [F3592]
- File Detection for Amadey [F3362]
- URL Access Blocked - C&C Server
- URL Access Blocked - Malware Accomplice
- URL Access Blocked - Disease Vector
TrendAI Vision One™ Workbench Alerts
The Workbench serves as a crucial tool for monitoring and responding to security alerts.
- Suspicious Execution from Possible Leaked Claude Code Binary
- URL Access Detection by Web Reputation Service
Patterns, models, and signatures
TrendAI™ solutions that utilize different pattern, behavior monitoring and other advanced detection technology can also detect and protect against the following known malicious components associated with this campaign:
- TrojanSpy.Win64.VIDAR.SMCLX (Smart Scan Agent Pattern 20.863)
- Trojan.Win64.VIDAR.CLX (Smart Scan Agent Pattern 20.863)
- Trojan.Win32.GHOSTSOCKS.SM - (Smart Scan Agent Pattern 20.871)
- TrojanSpy.Win64.VIDAR.SMCX - (Smart Scan Agent Pattern 20.871)
- AG.FLS.ISB.7403T: Prevents spawning of encoded PowerShell.
- AG.3200T: Prevents suspicious self-propagation and persistence.
- 2015Q_CQ: Detects process injection behavior
- TRX5656Q: Trigger AI-assisted detection layer
- 1478T: Detects non-whitelisted processes that exhibit self-propagation and persistence via autorun
- 1770T: Detects non-whitelisted processes that exhibit self-propagation
TrendAI Vision One™ Web Reputation Services (WRS)
TrendAI Vision One™ is also blocking several known C&C servers and Disease Vector IPs and domains known to be associated with this campaign. Verified malicious GitHub repositories and leaked code download links are blocked as Illegal or Prohibited Content.
TrendAI Vision One™ Threat Intelligence Hub
TrendAI Vision One™ Threat Intelligence Hub products provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.
Emerging Threats: Claude Code Leak Social Engineering and Malware Distribution via GitHub
Intelligence Reports (IOC Sweeping)
Hunting Queries
TrendAI Vision One™ Search App
TrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Detection of Vidar and GhostSocks malware components
malName: *VIDAR* OR *GHOSTSOCKS* and eventName: MALWARE_DETECTION
Detection of Vidar C&C communication
eventSubId:204 AND dst:("rti.cargomanbd.com")
More hunting queries are available for TrendAI Vision One™ customers with Threat Intelligence Hub entitlement enabled.
Additional mitigation guidance
Organizations that suspect exposure to this campaign can also implement the following recommendations to reduce the risk of potential compromise.
- Scan for artifacts. Search endpoints for the presence of TradeAI.exe, ClaudeCode_x64.exe, Claude_Code_x64.exe or any executable extracted from 7z archives downloaded from unverified GitHub repositories. Check %TEMP%, %APPDATA%, and user download directories. A list of indicators of compromise (IOCs) for the Claude Code lures and GitHub release payloads can be found in our previous blog.
- Run updated endpoint scans. Ensure TrendAI™ endpoint protection has Smart Scan Agent Pattern 20.863 or later and run a full scan. Vidar and GhostSocks components are detected as TrojanSpy.Win64.VIDAR.SMCLX and Trojan.Win64.VIDAR.CLX.
- Check for proxy activity. Monitor for unexpected inbound connections on TCP ports 57001, 57002, and 56001 — the firewall rules created by the dropper's embedded payload to enable GhostSocks proxy communication.
- Rotate all credentials. Any machine where the dropper may have executed should treat all accessible credentials as compromised: browser-stored passwords, cryptocurrency wallets, session tokens, API keys, and SSH keys.
- Block C&C infrastructure. Ensure rti[.]cargomanbd[.]com, pastebin[.]com/raw/mcwWi1Ue, and snippet[.]host/efguhk/raw are blocked at the network perimeter.
This incident underscores that security compromise is not limited to software vulnerabilities: it can also come from human and organizational gaps that can be exploited by tried-and-tested social engineering techniques that prey on alarm and urgency. This gap is widened as organizations increasingly adopt agentic environments. That’s why TrendAI™ is designing solutions as an Agentic Governance Gateway, which can empower organizations to discover, observe, understand, detect, and enforce governance over agentic AI behaviors and environments, ensuring safe and reliable adoption of autonomous AI.
This entry will be updated as new information emerges from our monitoring and analysis.