Claude Code Leak - Exploited to Distribute Malware

What Happened

A recent leak of Anthropic's Claude Code has been exploited to distribute malware via a malicious GitHub repository. This repository masquerades as a legitimate source for the TypeScript code of Claude Code CLI, tricking users into downloading compromised files.

Who's Being Targeted

Tens of thousands of users have fallen victim to this deception. Many downloaded the malicious files, unaware that they contained harmful software designed to steal sensitive information.

How It Works

The malicious repository claims to provide unlocked enterprise features of Claude Code. However, the downloaded package, which is a .7z archive, includes a Rust-based dropper named ClaudeCode_x64.exe. Once executed, this dropper installs Vidar, an infostealer that collects account credentials, credit card information, and browser history. Additionally, it deploys GhostSocks, a tool that creates a proxy network to conceal the malicious activities.

Signs of Infection

Users may notice unusual behavior on their devices, such as unexpected prompts for credentials or slow performance. If you suspect infection, check for unknown applications or processes running on your system.

How to Protect Yourself

To safeguard against such threats, consider the following actions:

• Avoid downloading software from unofficial sources. Always verify the legitimacy of repositories.
• Use antivirus software to scan downloads before executing them.
• Monitor your accounts for unauthorized transactions or login attempts.
• Educate yourself about the latest malware tactics and stay updated on cybersecurity news.

This incident highlights the ongoing risks associated with leaked source code and the importance of vigilance when downloading software from the internet.