Claude AI Source Code Leak Exposes Vulnerability to Malware Spreading
Claude Code Source Leak Exploited to Spread Malware
In March 2026, a source code leak involving Anthropic’s Claude Code tool turned into a significant cybersecurity threat when attackers exploited the exposed files to deceive developers.
Initial Discovery and Distribution
The leak was first discovered by security researcher Chaofan Shou, who posted about it on a popular platform. The compromised code included approximately 513,000 lines of unobfuscated TypeScript in 1,906 files, exposing the client-side agent framework of the tool.
However, this supposed fork was actually a malicious ZIP archive, named Claude Code Leaked Source Code (.7z), which contained a Rust-based executable called ClaudeCode_x64.exe. Upon execution, ClaudeCode_x64.exe dropped Vidar v18.7 and GhostSocks onto the system. Vidar is an information-stealing malware, while GhostSocks is used to redirect network traffic.
Investigation and Findings
Researchers from Zscaler observed the threat actor uploading multiple versions of the malicious ZIP archive to the repository’s releases section within a short time frame. Furthermore, the same repository was identified under a different account, “my3jie,” containing identical code and seemingly linked to the same threat actor.
The popularity of Claude Code makes it an attractive lure for scammers, malware distributors, and other attackers. In fact, earlier this month, researchers from Push Security warned about fake or cloned Claude Code installation pages that were spreading malware and appearing in Google Search results.
- Verify the authenticity of any source code against Anthropic’s official channels.
- Be cautious of suspicious links and websites.
- Use reputable antivirus software and keep it up-to-date.
By taking these precautions, you can protect yourself from falling victim to the Claude Code source leak exploit.
About Author
English