Skip to content
.ca
sign in
4 minhigh

Anthropic Claude Code Leak | ThreatLabz

Anthropic accidentally leaked the source code for its Claude Code CLI tool via an npm package source map. Threat actors are exploiting the high interest in this leak by creating fake GitHub repositories that distribute a Rust-based dropper, which subsequently installs Vidar infostealer and GhostSocks proxy malware on developer workstations.

Sens:ImmediateConf:highAnalyzed:2026-04-02reports

Authors: MANISHA RAMCHARAN PRAJAPATI

ActorsidbzoomhVidarGhostSocks
Supply ChainGhostSocksSource Code LeakVidarClaude Code

Source:Zscaler ThreatLabz

IOCs · 1

Key Takeaways

  • Anthropic accidentally exposed the full source code of Claude Code via a JavaScript source map file in an npm package.
  • Threat actors are actively using the leaked code as a social engineering lure on GitHub to distribute malware.
  • A malicious repository distributes a Rust-based dropper named 'ClaudeCode_x64.exe' hidden inside a .7z archive.
  • The dropper infects developer workstations with Vidar infostealer and GhostSocks proxy malware.
  • The leak amplifies the risk of exploiting known vulnerabilities (CVE-2025-59536, CVE-2026-21852) and facilitates supply chain attacks.

Affected Systems

  • Developer workstations
  • Environments running untrusted AI agents
  • Users of @anthropic-ai/claude-code npm package

Vulnerabilities (CVEs)

  • CVE-2025-59536
  • CVE-2026-21852

Attack Chain

Threat actors create fake GitHub repositories masquerading as the leaked Claude Code source. Users are lured into downloading a malicious archive named 'Claude Code - Leaked Source Code (.7z)' from the releases section. Upon extraction and execution of the enclosed Rust-based dropper 'ClaudeCode_x64.exe', the system is infected with Vidar infostealer and GhostSocks proxy malware.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — Execution of an unknown Rust-based dropper (ClaudeCode_x64.exe) and subsequent dropping of known malware families (Vidar, GhostSocks) should be highly visible to EDR. Network Visibility: Medium — GhostSocks will generate proxy traffic, and Vidar will attempt C2 communication for exfiltration, which can be detected with network monitoring. Detection Difficulty: Moderate — While the initial lure relies on user execution, the subsequent behavior of Vidar and GhostSocks is well-documented and typically caught by standard behavioral detections.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • File Creation (Sysmon 11)
  • Network Connections (Sysmon 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for execution of binaries named 'ClaudeCode_x64.exe' originating from recently downloaded archive files.Process CreationExecutionLow
Monitor for unexpected outbound network connections from developer workstations, particularly from newly created processes, indicating potential GhostSocks or Vidar activity.Network ConnectionsCommand and ControlMedium

Control Gaps

  • Lack of strict application control allowing execution of unsigned binaries from untrusted GitHub repositories.

Key Behavioral Indicators

  • Execution of ClaudeCode_x64.exe
  • Process ancestry showing execution from extracted .7z archives
  • Unexpected proxy connections indicative of GhostSocks

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block execution of 'ClaudeCode_x64.exe'.
  • Do not download, fork, build, or run code from any unofficial GitHub repository claiming to host the Claude Code leak.

Infrastructure Hardening

  • Implement Zero Trust architecture and segment mission-critical application access.
  • Enforce application control to prevent execution of unsigned or untrusted binaries.

User Protection

  • Scan local environments and Git clones for suspicious processes, modified hooks, or unexpected npm packages.
  • Monitor developer workstations for anomalous telemetry or outbound connections.
  • Wait for a cool down period before using the latest npm packages.

Security Awareness

  • Educate developers that leaked code is proprietary and dangerous to run unmodified.
  • Train staff to verify source code and tools against official channels only.
  • Avoid running AI agents with local shell/tool access on untrusted codebases.

MITRE ATT&CK Mapping

  • T1204.002 - User Execution: Malicious File
  • T1059 - Command and Scripting Interpreter
  • T1090 - Proxy
  • T1005 - Data from Local System
  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Additional IOCs

  • File Paths:
    • ClaudeCode_x64.exe - Rust-based dropper executable
    • Claude Code - Leaked Source Code (.7z) - Malicious archive containing the dropper
  • Other:
    • idbzoomh - GitHub account hosting malicious repositories
    • @anthropic-ai/claude-code v2.1.88 - NPM package containing the leaked source map

Related