Threat actors are actively exploiting a legitimate packaging error in Anthropic’s Claude Code npm release to distribute a variety of malware, including Vidar, GhostSocks, and PureLog Stealer. By creating deceptive GitHub repositories that appear to host the "leaked" code, attackers lure users into downloading malicious archives. This campaign has been active since early 2026 and highlights the speed at which cybercriminals weaponize public supply chain incidents.
The payloads delivered enable a wide range of malicious activities, from multi-threaded data theft of credentials and cryptocurrency wallets to turning infected machines into residential proxy infrastructure. Organizations are advised to scan for specific indicators of compromise, such as ClaudeCode_x64.exe, monitor for unusual proxy traffic, and immediately rotate credentials on any suspected compromised systems.
Top comments (0)