Threat actors are actively exploiting Anthropic's Claude Code npm packaging error incident to distribute credential-stealing malware via fake GitHub repositories. The campaign, active since February 2026, has cycled through 25+ software brand lures and delivers three payloads: Vidar (browser credential and crypto wallet stealer), GhostSocks (SOCKS5 proxy installer), and PureLog Stealer (.NET fileless info-stealer). As of April 7, 2026, the malicious repo had 838 stars, 1,060 forks, and 533 confirmed downloads. Defenders are advised to scan endpoints for specific executables, rotate all credentials on potentially exposed machines, block known C&C infrastructure, and monitor for unexpected proxy connections on specific TCP ports. Trend Micro's detection signatures and hunting queries are provided for customers.
Sort: