Threat actors leveraged Anthropic’s Claude Code npm release packaging error to distribute Vidar, GhostSocks, and PureLog Stealer. This blog details immediate steps organizations can take and best practices to prevent further risk.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

Threat actors are actively exploiting Anthropic's Claude Code npm packaging error incident to distribute credential-stealing malware via fake GitHub repositories. The campaign, active since February 2026, has cycled through 25+ software brand lures and delivers three payloads: Vidar (browser credential and crypto wallet stealer), GhostSocks (SOCKS5 proxy installer), and PureLog Stealer (.NET fileless info-stealer). As of April 7, 2026, the malicious repo had 838 stars, 1,060 forks, and 533 confirmed downloads. Defenders are advised to scan endpoints for specific executables, rotate all credentials on potentially exposed machines, block known C&C infrastructure, and monitor for unexpected proxy connections on specific TCP ports. Trend Micro's detection signatures and hunting queries are provided for customers.

Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do