Be careful what you click - hackers use Claude Code leak to push malware | Tech Radar

Overview

News, deals, reviews, guides and more on the newest smartphones

News, deals, reviews, guides and more on the newest computing gadgets

Details

Start exploring exclusive deals, expert advice and more

Unlock and manage exclusive Techradar member rewards.

Be careful what you click - hackers use Claude Code leak to push malware

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Hackers exploit Claude Code leak with fake Git Hub repos

Malicious files deploy Vidar infostealer and Ghost Socks proxy malware

Anthropic faces rising scrutiny amid recent vulnerabilities and rapid product rollout

Hackers have jumped on the recent news of a major Claude Code source code leak to trick people into infecting their computers with an infostealer malware.

A few days ago, an Anthropic employee accidentally leaked the source code for Claude Code in what the company confirmed wasn’t an act of a malicious insider, or third party, but rather a mishap.

People quickly picked up on it, backing up the leak into a Git Hub repository which has, by now, been forked tens of thousands of times, and now, cybercriminals are capitalizing on it.

Hackers exploit Open Claw to spread malware via Git Hub - and a little help from Bing

Anthropic confirms it leaked 512,000 lines of Claude Code source code — spilling some of its biggest secrets

Infostealers are being disguised as Claude Code, Open Claw and other AI developer tools

Security researchers Zscaler said they observed malicious Git Hub repositories, published by a user with the name ‘dbzoomh’, claiming to be Claude Code’s source code with “unlocked enterprise features” and no usage restrictions.

The hacker even optimized the repository for search engines, apparently succeeding in what most marketing agencies dream of - hitting the first page of Google for “leaked Claude Code” and similar search queries.

Zscaler said that the repository holds a 7-Zip archive containing an executable named Claude Code_x 64.exe. It was built in Rust and, when launched, deploys Vidar and Ghost Socks.

Vidar is an extremely powerful, known infostealer, capable of grabbing browser data (cookies, stored passwords, and more), saved passwords, cryptocurrency wallet data, and other vital files. Ghost Socks, on the other hand, is a proxy malware that turns infected machines into residential proxies. Criminals use these proxies to route malicious traffic, often selling it as a service.

Is Anthropic rushing to ship new services? (Image credit: Shutterstock)

According to Zscaler, the malicious archive is being constantly updated, hinting that the payloads might change in the future. They also said they saw a different Git Hub repository with identical code. This one, however, shows a defunct “Download ZIP” button, prompting the researchers to conclude that the attackers toyed with different deployment mechanisms.

The account pushing the malicious update has since been removed from the platform, and the Git Hub page shows a 404 error message.

Anthropic has been shipping new products at high speed, seemingly at the expense of security. In the last couple of weeks, we’ve had multiple stories about Claude being vulnerable to prompt injection and similar attacks.

Anthropic issues copyright takedown requests to stem Claude Code leak

Experts warn Claude Chrome extension could let hackers hijack your online browsing

Git Hub developers targeted by fake VS Code alerts spreading malware

On March 27 2026, security researchers Koi Security found a major flaw in Claude Code’s Google Chrome extension that enabled zero-click attacks. Dubbed Shadow Prompt, the vulnerability could have allowed malicious actors to exfiltrate sensitive data.

A few days prior, on March 19, security researchers Oasis reported finding three vulnerabilities in Claude which, when used together, form a complete attack chain - from targeted victim delivery to sensitive data exfiltration. The researchers dubbed it Cloudy Day and responsibly disclosed it to Anthropic which quickly addressed it.

Still, the platform’s popularity is skyrocketing. The same day Shadow Prompt was discovered, Anthropic was forced to throttle its tools during peak hours to cope with rising demand. “To manage growing demand for Claude we're adjusting our 5 hour session limits for free/Pro/Max subs during peak hours. Your weekly limits remain unchanged”, said Thariq Shihipar, an engineer who works on Claude Code, in a post on X.

➡️ Read our full guide to the best antivirus

1. Best overall: Bitdefender Total Security
2. Best for families: Norton 360 with Life Lock
3. Best for mobile: Mc Afee Mobile Security

Follow Tech Radar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow Tech Radar on Tik Tok for news, reviews, unboxings in video form, and get regular updates from us on Whats App too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, Io T, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

13 unmissable new Prime Video shows to stream in April 2026 — including the final season of The Boys

2I went back 50 years and played the best Apple-1 games

3 Lowe's just launched a massive spring sale — here's everything I'd buy for my backyard, including furniture, plants, grills, and more

5 Even Microsoft's official terms and conditions say you really shouldn't be using its AI at work

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest smartphones
• News, deals, reviews, guides and more on the newest computing gadgets
• Start exploring exclusive deals, expert advice and more
• Unlock and manage exclusive Techradar member rewards

• Be careful what you click - hackers use Claude Code leak to push malware