Anthropic's Claude Code Leak Weaponized by Hackers to Distribute Vidar and GhostSocks Malware

Summary

Anthropic suffered a significant security incident on March 31, 2026, when a packaging error in a public npm package inadvertently exposed the complete source code for Claude Code, the company's flagship terminal-based coding assistant. The leak contained over 500,000 lines of unobfuscated TypeScript code, which was quickly mirrored across GitHub and forked tens of thousands of times after public disclosure by security researcher Chaofan Shou.

Cybercriminals have rapidly weaponized the leak to launch supply chain attacks targeting developers. Zscaler ThreatLabz researchers discovered malicious GitHub repositories impersonating the legitimate leaked code, with one repository by threat actor idbzoomh ranking near the top of search results. These fake repositories distribute a Rust-based dropper that deploys Vidar information stealer and GhostSocks network proxy malware to compromise developer workstations.

The exposure is particularly dangerous because the leaked codebase reveals sensitive internal mechanisms including shell execution capabilities, permission layers, and hidden feature flags that attackers can exploit to craft precise exploits. Threat actors can potentially trigger silent device takeovers or credential theft by tricking developers into cloning untrusted repositories or opening specially crafted project files. Security teams are urging developers to avoid downloading code from unofficial sources and implement Zero Trust architecture with network segmentation to limit potential damage.

• Organizations should implement Zero Trust architecture, avoid unofficial code sources, and monitor for anomalous network connections and unexpected npm packages