What this "Claude Code Unlocked" is really doing?

A security researcher analyzes a fake 'Claude Code Unlocked' malware campaign that exploited the recent Anthropic source map leak. The malicious 7z file distributed via GitHub contains multiple payloads including an info stealer (Vidar), remote access trojans (RATs), a hidden VNC tool, persistence mechanisms disguised as legitimate services (Intel Graphics Host, Adobe Cloud Sync), and a Ledger Live wallet injector for crypto theft. The malware appears to be largely vibe-coded, with anti-sandbox checks that miss some analysis environments. Claude Code itself was used to statically analyze the fake repository and quickly identified it as illegitimate. Key takeaways: never run .exe files claiming to be source code, and be cautious with any files related to software leaks.