Threat actors are capitalizing on the recent accidental source code leak of Anthropic's Claude Code by distributing fake repositories on GitHub. These malicious repositories claim to offer "unlocked enterprise features" and no usage restrictions, targeting users searching for the leaked 513,000 lines of unobfuscated TypeScript code that was inadvertently exposed via a published npm package.
Security researchers at Zscaler found that these SEO-optimized repositories deliver a 7-Zip archive containing a Rust-based executable. Once launched, the dropper installs the Vidar information stealer and the GhostSocks network proxying tool. This incident serves as a stark reminder of the opportunistic nature of cybercriminals who leverage high-profile leaks to infect curious users and developers.
Top comments (0)