Artificial Intelligence (AI)
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks.
Save to Folio
Key takeaways
- Anthropic inadvertently exposed internal Claude Code source material via a misconfigured npm package, which included approximately 512,000 lines of internal TypeScript and triggering rapid mirroring across GitHub.
- Within 48 hours, threat actors took advantage of the attention around the leak, to distribute Vidar stealer and GhostSocks proxy malware through fake “leaked Claude Code” GitHub repositories.
- The Claude Code bait is part of a broader rotating lure operation active since February 2026, impersonating more than 25 software brands while delivering the same Rust-compiled infostealer payload.
- The campaign abuses GitHub Releases as a trusted malware delivery channel, using large trojanized archives and disposable accounts to repeatedly evade takedowns.
- Beyond serving as a lure, the leaked source code itself introduces longer-term risks including vulnerability discovery, prompt injection blueprinting, and agentic attack surface exposure.
- Organizations should only approve designated installation paths for AI developer tools and should actively detect and block malicious indicators.
- Organizations should also consider applying governance as a control plane for agentic risk. This incident signifies that security compromise doesn't always come from software vulnerabilities: it can also come from human and organizational gaps. That's why TrendAI™ is introducing Agentic Governance Gateway to empower organizations to discover, observe, understand, detect, and enforce governance over agentic AI behaviors to ensure safe and reliable adoption of autonomous AI.
In late March 2026, Anthropic inadvertently released the internal Claude Code source material as part of an npm package that included a large internal source map file. Although the incident stemmed from a simple packaging mistake, threat actors were quick to capitalize on the resulting attention. Only 48 hours after the leak, they were able to create fake GitHub repositories to distribute credential-stealing malware disguised as “leaked” Claude Code downloads.
This incident demonstrates that security compromise is not limited to software vulnerabilities: human factors and organizational control gaps often serve as catalyst for threats and are primary drivers of material impact. In this blog entry, we will talk about our analysis of the threats capitalizing on this incident, the downstream risks of the leaked source code, and the actions organizations should take next.
The Claude Code source leak
On March 31, 2026, a routine npm publish for Anthropic's @anthropic-ai/claude-code package (version 2.1.88) inadvertently included a file that should never have shipped: cli.js.map, a 59.8 MB JavaScript source map generated by the Bun bundler. This file’s embedded sourcesContent field exposed the complete original TypeScript source tree— approximately 512,000 lines of code across 1,900 files—corresponding to build artifacts hosted on a publicly accessible Cloudflare R2 storage bucket.
The exposure was not a sophisticated breach, but a packaging error. The project's .npmignore file failed to exclude .map files from the distribution. Because Bun generates full source maps by default, without an explicit exclusion rule, the entire agentic harness powering Claude Code was also shipped out and laid bare to anyone who ran npm install.
Within hours, the leaked source was mirrored across thousands of GitHub repositories. Anthropic confirmed the incident stemmed from human error, pulled the affected package version, and issued DMCA takedown notices against the mirrors. The company assured that no customer data or credentials were exposed.
This marked the second major Anthropic source-exposure incident in two months, following the “Mythos” leak, which also happened late-March and revealed internal details about an unreleased powerful AI model intended for cybersecurity use cases.
Attack timeline
Before this leak, threat actors have been running AI-themed malware lures since at least February 2026, cycling through fake tools and repositories to attract developer interest. The Claude Code source leak on March 31 provided a convenient lure, a high-profile and timely lure. This enabled operators to rapidly repurpose their already existing infrastructure. By April, within 48 hours of the leak, they pivoted to impersonating “leaked” Claude Code downloads, using the incident’s visibility to accelerate distribution of their infostealer payloads.
| Date | Incident | Description | Key details |
|---|---|---|---|
| February 26 | AI tool lures | Malware campaign using fake AI tools | TradeAI.exe 18+ unique samples Copilot, Cursor, AI tools Active campaign |
| March 31, 2026 | Source code leak | Accidental exposure of source code | Anthropic npm packaging error 59.8 MB source map exposed 512K lines TypeScript |
| March 31 to April | Time window | Delay between leak and weaponization | Within 48 hours of the leak |
| April | Claude Code lure | Malware distribution under fake Claude tooling | ClaudeCode_x64.7z ClaudeCode_x64.exe Vidar v18.7 + GhostSocks GitHub Releases delivery |
Table 1. The campaign timeline
What the source code revealed
The leaked codebase exposed several unreleased features and internal mechanisms:
- KAIROS: An autonomous daemon mode referenced over 150 times in the codebase, enabling Claude Code to run as a persistent background agent that operates proactively without user initiation.
- Undercover Mode: A module (undercover.ts) that instructs the model to strip all mentions of Anthropic internals and the "Claude Code" name when contributing to external repositories.
- Dream System: A background memory-consolidation process (autoDream) that runs during idle periods to reorganize and optimize project-specific memories.
- Anti-Distillation: Protective mechanisms (ANTI_DISTILLATION_CC) that inject fake tool definitions and apply cryptographic signatures to prevent competitors from training on API traffic.
- Model codenames: References to upcoming models, including Capybara (Claude 4.6), Fennec (Opus 4.6), and Numbat.
- Buddy Pet: A hidden Tamagotchi-style AI pet feature with RPG-like stats that respondss to user coding activity.
Claude Code: One lure in a larger campaign
Threat actors did not need the source code itself. They needed the hype.
Within 48 hours of the leak making headlines, malicious GitHub repositories began appearing in search results—and near the top of Google results—for queries like “leaked Claude Code source” and “Claude Code download.” These repositories relied on familiar social engineering tactics, including READMEs promising “leaked source code” and “unlocked enterprise features,” fake download buttons embedded as images, and GitHub Releases hosting trojanized 7z archives.
The Claude Code bait, however, was only the latest chapter in a much broader operation. Similar GitHub‑hosted lure campaigns earlier this year abused fake AI tooling repositories to distribute Vidar‑class infostealers and GhostSocks proxy malware, as previously documented by Huntress. Our observation reveals that it’s likely that the same threat actors have been running a rotating-lure campaign since dating back to February 2026, cycling through more than 25 distinct software brands to attract victims. Regardless of the name on the label or the branding, every archive delivers the same thing: a Rust-compiled dropper, TradeAI.exe, which deploys Vidar stealer alongside the GhostSocks proxy malware.
A rotating carousel of lures
The operation's scale becomes apparent when examining the parent archives that contain the TradeAI.exe payload. Across 22 unique payload variants, we identified 38 distinct 7z archives—each branded as a different piece of popular software.
The lure themes fall into several categories that reveal the operators' targeting strategy:
- AI and LLM tools make up the largest cluster, capitalizing on the surge of interest in generative AI. The campaign impersonates well-known names like Claude Code itself (packaged as ClaudeCode_x64.7z and claude-cowork-win-x64.7z), references to specific model versions (opus-4-6-x64.7z), and GitHub Copilot (CopilotCowork_x64.7z). It also mimics lesser-known or fictional AI brands, namely KawaiiGPT_x64.7z, WormGPT_x64.7z, NemoClaw_x64.7z (styled as an NVIDIA product), SimpleClaw_x64.7z, clawdbot_x64.7z, nanobot_x64.7z, and OpenClaw_x64.7z. The naming is deliberate to entice victims, wherein some sound like legitimate open-source projects, while others like “WormGPT” exploit curiosity around underground AI tools.
- Cryptocurrency and trading tools form the second major theme. Archives named hyperliquid-bot_x64.7z and bbg_free_x64.7z (mimicking Bloomberg Terminal) target the finance and crypto community, which is a demographic with high-value credentials and wallet data that makes them attractive target for infostealer campaigns.
- Creative and media tools round out the lure portfolio. The operators impersonate voice modification software (voicemod_x64.7z), AI video generation tools (seedance_x64.7z, LTX-2.3_x64.7z, SoraRemover_x64.7z), and image generation tools (Z_image_x64.7z). These lures target content creators and artists who may be less security-conscious about software sourced from GitHub.
- Utility software provides additional coverage, with lures masquerading asYouTube_Downloader_x64.7z, OrcaSlicer_x64.7z (a 3D printing slicer), iRemovalPro_x64.7z (an iPhone unlocking tool), and perplexity_computer_x64.7z (impersonating the Perplexity AI search assistant). Each targets a different user demographic, broadening the campaign's reach.
One pattern is consistent across all lures: a throwaway GitHub account creates a repository with a plausible name, populates it with a minimal README, and hosts a trojanized 7z archive as a GitHub Release asset. The archives range from 78 to 167 MBlarge enough to appear legitimate and to evade some automated scanning systems. Once a repository is flagged and removed, the operators simply create a new account and repeat the process with a different lure name.
Confirmed distribution repositories
Our GitHub lure scanner identified 104 repositories created within seven days of the Claude Code leak using related keywords. Of these, three were confirmed to distribute malicious payloads via GitHub
Releases:
- leaked-claude-code/leaked-claude-code: distributes ClaudeCode_x64.7z
- my3jie/leaked-claude-code: repository-based delivery
Related network data confirmed six additional GitHub distribution URLs used by the broader campaign before the Claude Code pivot:
- github[.]com/Kawaii-GPT-ai/KawaiiGPT/releases/: KawaiiGPT lure
- github[.]com/ai-wormGPT/wormGPT/releases/: WormGPT lure
- github[.]com/claude-ai-opus-4-6/claude-opus-4.6/releases/: Claude Opus 4.6 lure
- github[.]com/realtime-voice-changer-app/realtime-voice-changer/releases/: Voicemod lure
- github[.]com/LTX-desktop/LTX-2.3/releases/: LTX video editor lure
- github[.]com/nvidia-nemoclaw/NemoClaw/releases/: NVIDIA NemoClaw lure
Known threat actor accounts include idbzoomh (taken down by GitHub), idbzoomh1, and my3jie. The accounts are disposable, as operators demonstrate no attachment to any single identity or lure theme.
Infection chain
The infection chain is consistent across all lure variants:
- Discovery: The victim searches for a trending software tool on Google or GitHub. For the Claude Code variant, queries like "leaked Claude Code source" and "Claude Code download" surface the malicious repositories.
- Lure: The victim lands on a convincing GitHub repository with a README promising free access, leaked features, or cracked versions.
- Download: The victim downloads a 7z archive (78–167 MB) from GitHub Releases. The archive name matches the lure theme.
- Extraction: Inside the archive is TradeAI.exe, a Rust-compiled dropper binary. In the Claude Code variants, the executable is renamed to ClaudeCode_x64.exe or similar.
- Execution: The dropper deploys two payloads:
Vidar Stealer (v18.7): An information stealer performing multi-threaded data theft of browser credentials, cryptocurrency wallets, session tokens, and system information.
GhostSocks: A SOCKS5 proxy tool that tunnels network traffic through the victim's machine, enabling the operators to use compromised hosts as residential proxies. - C&C resolution: Vidar uses dead drop resolvers, which are a Steam Community profile and a Telegram channel,to retrieve the active C&C address, making infrastructure takedowns more difficult.
- Exfiltration: Stolen data is packaged and sent to the Vidar C&C server.
Security implications of the leaked source code
While the immediate threat is the social engineering campaign delivering Vidar, the leaked source code itself presents a distinct and longer-lasting risk surface. Security experts have warned that access to approximately 512,000 lines of production code from a frontier AI company opens several attack vectors that extend well beyond using the leak as a lure.
Vulnerability research and exploitation
With full access to the codebase, both security researchers and threat actors can systematically audit the code for exploitable vulnerabilities. This concern materialized almost immediately. Within days of the leak, a critical vulnerability in Claude Code was publicly reported , demonstrating that the code is being actively analyzed.
The agentic nature of Claude Code makes this particularly concerning. Unlike a traditional application, Claude Code interacts with file systems, executes terminal commands, reads and writes files, and manages development environments. A vulnerability in the agentic harness could allow:
- Arbitrary code execution through crafted inputs or project files
- Data exfiltration from developer environments via manipulated tool calls
- Privilege escalation through the tool permission system
Prompt injection blueprint
The leaked source also reveals exactly how Claude Code constructs its system prompts, parses user instructions, handles tool definitions, and enforces safety boundaries. This is effectively a blueprint for crafting targeted prompt injections, with attackers knowing the precise wording, ordering, and structure of the safety instructions that govern the model's behavior.
This knowledge could be used to bypass safety controls by understanding their exact implementation, craft inputs that exploit parsing edge cases, and design adversarial inputs optimized for the specific prompt architecture.
Anti-distillation and competitive intelligence
The ANTI_DISTILLATION_CC mechanisms revealed in the source code demonstrate Anthropic's approach to preventing competitors from training on Claude's API outputs. With the implementation details now public, adversaries have a roadmap for circumventing these protections. The cryptographic signatures and fake tool definitions used as canary traps are now visible and can be stripped or avoided.
Agentic attack surface
Perhaps the most significant long-term concern is the exposure of the complete “agentic harness,” which is the system that enables Claude Code to interact with real computing environments. The source code reveals how the model decides which tools to invoke and in what sequence, the permission model governing file system access, command execution, and network operations, the sandbox boundaries and how they are enforced, and the internal safety classifiers and their decision logic.
Access to this knowledge gives adversaries a significant advantage in designing attacks against organizations whose developers use Claude Code in their workflows.
MITRE ATT&CK TTPs
| Tactic | Technique | ID | Description |
|---|---|---|---|
Resource Development |
Stage Capabilities: Upload Malware |
T1608.001 |
Malware hosted on GitHub Releases |
Resource Development |
Establish Accounts: Social Media Accounts |
T1585.003 |
Disposable GitHub accounts for distribution |
Initial Access |
Phishing: Spearphishing Link |
T1566.002 |
Lure repositories with download links |
Execution |
User Execution: Malicious File |
T1204.002 |
Victim executes trojanized dropper |
Defense Evasion |
Obfuscated Files or Information |
T1027 |
Rust-compiled dropper binary |
Defense Evasion |
Virtualization/Sandbox Evasion: System Checks |
T1497.001 |
Debug environment and user input checks |
Credential Access |
Credentials from Password Stores |
T1555 |
Vidar steals browser credentials |
Collection |
Data from Local System |
T1005 |
Cryptocurrency wallets and session tokens |
Command and Control |
Web Service: Dead Drop Resolver |
T1102.001 |
Steam/Telegram profiles for C2 resolution |
Command and Control |
Proxy: Multi-hop Proxy |
T1090.003 |
GhostSocks SOCKS5 proxy |
Exfiltration |
Exfiltration Over C2 Channel |
T1041 |
Data sent to Vidar C2 |
Table 2. TTPs used in the campaign
Security recommendations
Organizations can reduce the risk from this campaign by tightening controls around tool installation, validating software sources, and actively monitoring for malicious activity using the following measures.
- Instruct developers to use verified sources only. Legitimate Claude Code is available only through official channels at claude.ai/install.sh (macOS/Linux) or claude.ai/install.ps1 (Windows), and via Homebrew, WinGet, or the VS Code/JetBrains extensions. npm installation has been deprecated. Any GitHub repository offering a standalone download should be treated as malicious.
- Treat GitHub Releases with scrutiny. The campaign abuses GitHub Releases as a trusted delivery mechanism. Large 7z archives (78–167 MB) hosted on newly created repositories with minimal commit history are a strong signal of abuse.
- Block known infrastructure. Add the C2 domains and IPs listed in the IOC section to network blocklists.
- Monitor for infostealer indicators. Watch for credential dumping patterns, connections to Steam Community profiles and Telegram channels used as dead drop resolvers, and unusual SOCKS5 proxy activity.
- Audit AI tool installations. Establish clear organizational policies for which AI coding tools are approved and how they should be installed. Maintain an allowlist of approved sources.
- Enforce endpoint detection. Ensure endpoints have detections for Vidar stealer variants and Rust-compiled droppers. The malware's anti-sandbox behavior means static detection rules are especially important.
Conclusion: Governance is the control plane for agentic risk
This Claude Code leak incident demonstrates that security compromise is not limited to software vulnerabilities; it is frequently enabled by weaknesses in people and organizational processes, which often drive the highest impact. In practice, threat actors did not need a zero-day in the leaked codebase: they leveraged attention, trust signals, and predictable user behavior to achieve execution and credential theft.
This pattern becomes more consequential as organizations adopt agentic AI. Agentic systems can plan, reason, and act across enterprise environments, invoking tools, accessing data, and triggering workflows. Because these systems operate through iterative, adaptive loops rather than fully deterministic execution paths, the outcomes can be difficult to predict, trace, or control.
Accordingly, TrendAI™ is designing solutions as an Agents Governance Gateway, positioning governance as the control plane, rather than treating the problem as security alone. The objective is to give organizations the ability to discover and inventory agents, observe what they are doing, understand behavior and intent across tool and data interactions, detect unsafe or anomalous actions, and enforce policy so that autonomous capability can be adopted with measurable control and accountability.
Indicators of Comrpomise (IOCs)
IOCs related to this campaign can be found here.