2026-05-135 minhigh

Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads

Following an accidental leak of Anthropic's Claude Code source material, threat actors rapidly deployed a social engineering campaign using fake GitHub repositories. The campaign distributes trojanized archives containing a Rust-compiled dropper that deploys Vidar stealer and GhostSocks proxy malware, specifically targeting developers seeking AI tools.

Sens:■ ImmediateConf:highAnalyzed:2026-04-03reports

Authors: Jacob Santos, Sophia Nilette Robles

ActorsVidar StealerGhostSocksTradeAI Campaign

Infostealer Vidar Stealer GhostSocks GitHub Abuse Claude Code

Source:Trend Micro

IOCs · 3

url
github[.]com/ai-wormGPT/wormGPT/releases/Malicious GitHub Release URL distributing trojanized AI tool archives.
url
github[.]com/claude-ai-opus-4-6/claude-opus-4.6/releases/Malicious GitHub Release URL distributing trojanized AI tool archives.
url
github[.]com/Kawaii-GPT-ai/KawaiiGPT/releases/Malicious GitHub Release URL distributing trojanized AI tool archives.

Key Takeaways

Anthropic inadvertently exposed internal Claude Code source material via a misconfigured npm package, leaking 512,000 lines of TypeScript.
Within 48 hours, threat actors leveraged the leak to distribute Vidar stealer and GhostSocks proxy malware via fake GitHub repositories.
The campaign is part of a broader operation active since February 2026, impersonating over 25 software brands to deliver a Rust-compiled dropper.
Attackers abuse GitHub Releases to deliver large trojanized 7z archives, using disposable accounts to evade takedowns.
The leaked source code introduces long-term risks, including vulnerability discovery, prompt injection blueprinting, and agentic attack surface exposure.

Affected Systems

Windows
Developer Environments

Attack Chain

Victims search for trending software like Claude Code and land on malicious GitHub repositories. They download a trojanized 7z archive (78-167 MB) from GitHub Releases containing a Rust-compiled dropper, often named TradeAI.exe or ClaudeCode_x64.exe. Upon execution, the dropper deploys Vidar Stealer and GhostSocks proxy malware. Vidar uses Steam Community profiles and Telegram channels as dead drop resolvers to locate its C2 server, to which it exfiltrates stolen browser credentials, session tokens, and cryptocurrency wallets.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but outlines behavioral indicators and file naming conventions for hunting.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the execution of the Rust-compiled dropper, the subsequent deployment of Vidar and GhostSocks, and credential access behaviors targeting browsers. Network Visibility: Medium — Network monitoring can identify connections to GitHub Releases for large archive downloads, as well as traffic to Steam/Telegram for dead drop resolution and SOCKS5 proxy activity. Detection Difficulty: Moderate — Initial downloads from GitHub Releases blend with legitimate developer activity, but the subsequent execution of a Rust dropper and connections to dead drop resolvers provide solid behavioral detection opportunities.

Required Log Sources

Process Creation (Event ID 4688 / Sysmon 1)
Network Connections (Sysmon 3)
File Creation (Sysmon 11)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual process execution originating from recently extracted large .7z archives downloaded from GitHub Releases.	Process Creation, File Creation	Execution	Medium
Detect processes making network connections to Steam Community profiles or Telegram channels followed by connections to unknown IPs, indicating dead drop resolution.	Network Connections	Command and Control	Low
Identify unexpected SOCKS5 proxy traffic originating from developer workstations.	Network Connections	Command and Control	Low

Control Gaps

Lack of strict application allowlisting for developer tools
Inability to inspect encrypted traffic to legitimate services like GitHub, Steam, and Telegram

Key Behavioral Indicators

Large 7z archives (78-167 MB) downloaded from newly created GitHub repositories
Rust-compiled executables running from user directories
Connections to Steam/Telegram for C2 resolution

False Positive Assessment

Recommendations

Immediate Mitigation

Block known malicious GitHub repositories and URLs associated with this campaign.
Isolate endpoints showing signs of Vidar stealer or GhostSocks proxy activity.

Infrastructure Hardening

Enforce endpoint detection for Rust-compiled droppers and infostealer behaviors.
Implement network monitoring for unauthorized SOCKS5 proxy traffic.

User Protection

Instruct developers to install AI tools only from official, verified sources (e.g., claude.ai/install.sh or claude.ai/install.ps1).
Deploy strict application control to prevent execution of unapproved binaries from user directories.

Security Awareness

Educate developers on the risks of downloading 'leaked' or 'cracked' software from unofficial GitHub repositories.
Establish clear organizational policies for the approval and installation of AI coding tools.

MITRE ATT&CK Mapping

T1608.001 - Stage Capabilities: Upload Malware
T1585.003 - Establish Accounts: Social Media Accounts
T1566.002 - Phishing: Spearphishing Link
T1204.002 - User Execution: Malicious File
T1027 - Obfuscated Files or Information
T1497.001 - Virtualization/Sandbox Evasion: System Checks
T1555 - Credentials from Password Stores
T1005 - Data from Local System
T1102.001 - Web Service: Dead Drop Resolver
T1090.003 - Proxy: Multi-hop Proxy
T1041 - Exfiltration Over C2 Channel

Additional IOCs

Urls:
- github[.]com/realtime-voice-changer-app/realtime-voice-changer/releases/ - Malicious GitHub Release URL distributing trojanized voice modifier archives.
- github[.]com/LTX-desktop/LTX-2.3/releases/ - Malicious GitHub Release URL distributing trojanized video editor archives.
- github[.]com/nvidia-nemoclaw/NemoClaw/releases/ - Malicious GitHub Release URL distributing trojanized AI tool archives.
- hxxps://github[.]com/leaked-claude-code/leaked-claude-code - Confirmed malicious GitHub repository distributing ClaudeCode_x64.7z.
- hxxps://github[.]com/my3jie/leaked-claude-code - Confirmed malicious GitHub repository distributing trojanized payloads.
Other:
- claude-cowork-win-x64.7z - Trojanized archive filename used in the campaign.
- opus-4-6-x64.7z - Trojanized archive filename used in the campaign.
- CopilotCowork_x64.7z - Trojanized archive filename used in the campaign.
- KawaiiGPT_x64.7z - Trojanized archive filename used in the campaign.
- WormGPT_x64.7z - Trojanized archive filename used in the campaign.
- NemoClaw_x64.7z - Trojanized archive filename used in the campaign.
- hyperliquid-bot_x64.7z - Trojanized archive filename targeting cryptocurrency users.
- bbg_free_x64.7z - Trojanized archive filename targeting finance users.
- idbzoomh - Known threat actor GitHub account.
- idbzoomh1 - Known threat actor GitHub account.
- my3jie - Known threat actor GitHub account.