Threat actors are exploiting the accidental Claude Code source code leak by publishing fake GitHub repositories that distribute Vidar infostealer malware. On March 31, Anthropic accidentally published an npm package containing a JavaScript source map that exposed nearly the entire TypeScript codebase. While Anthropic confirmed no customer data or credentials were leaked, the incident drew widespread developer attention. Attackers capitalized on this by creating fake repositories claiming to host the leaked code or enterprise-unlocked versions, which instead deliver compressed archives containing Vidar malware. The malware harvests browser credentials, cookies, and cryptocurrency wallet data, and may also proxy network traffic for persistent access. Users are warned to avoid unofficial sources and verify repositories before running any executables.
4 Comments
Sort: