From filtration to attack: the malware campaign that followed Claude Code's escape

The recent incident around Claude Code - Anthropic's new tool designed to perform programming tasks directly from the terminal - has not only exposed sensitive code: it also opened a door for digital criminals to take advantage of media noise and contaminate those seeking the original "escape." What started as an accidental client code leak ended up becoming a malware distribution campaign camouflaged in GitHub repositories that promised the "complete" version or with "unlocked functions."

The root of the problem was a package published in npm that mistakenly included a source map with thousands of TypeScript files without ofuscar. That map contained a huge volume of code, with details of the agent's orchestration, permissions, execution systems and other internal mechanics that we would not normally see in a client package. Within hours the material was widely downloaded and replicated in multiple public repositories, where it was cloned and bifurcated by thousands of users in search of novelty.

That same frenzy caught the attention of malicious actors. According to industry researchers, fraudulent repositories were detected that promised to house the "escape" but were actually designed to attract downloads of curious and professional who wanted to mess with the code. The attackers optimized these repositories to appear in the first search results as "leaked Claude Code," in order to direct mass traffic to malicious files. The trick is held in the trust that many put in GitHub as a central open source.

In the cases analyzed, the trap was presented as a compressed file (.7z) containing an executable in Rust - with a name that evoked the original project. When it was executed, the "dropper" deployed the infostealer known as Vidar, accompanied by proxy tools to cover up the outgoing traffic. Vidar is an info-stealer-type malware designed to collect credentials and sensitive data; its use here is opportunistic: attackers take advantage of the curiosity of the alleged leak to achieve executions on victim machines. Research teams have also observed that malicious packages are frequently updated, suggesting that operators can add new modules in future iterations.

The incidents confirm an old but current lesson: the repositories on legitimate platforms can be used as distribution vectors if the end user does not verify the source or inspect what you download. Although GitHub has restraint and blocking mechanisms, the magnitude and speed with which sensitive information is replicated - or traps are mounted on that information - complicate containment. Historically, public events and leaks have worked as irresistible baits for attackers who hide harmful loads in projects that appear to be harmless or of technical interest.

This requires a double exercise: on the one hand, organizations that release software must extreme controls on their supply chains to avoid accidental exposure (review packed in npm, source maps, and devices generated by building tools). On the other hand, developers and researchers who dive in repositories should do so with caution: never run binaries of unknown origin without first analyzing them in an isolated environment, verify official signatures and hashes, and prefer downloads from the official project sources.

If you are interested in deepening the technical context and the analyses that have been published on the campaign and the original escape, it is advisable to consult the notes and reports of the research teams and specialized media. Anthropic keeps information about its products and updates on its official website https: / / www.anthropic.com. Security groups that have documented the exploitation and assembly of malicious repositories publish their findings on technical blogs, for example in the Zscaler research section https: / / www.zscaler.com / blogs / security-research, and specialized media like Bleeping Computer follow closely malware campaigns and abuse of public platforms https: / / www.bleepingcomputer.com / news / security /. To understand the role of platforms and public security measures, GitHub's blog and its security lab offer context on threats and mitigation https: / / securitylab.github.com.

In the short term, the most practical thing for those who investigate or are simply curious about public leaks is to maintain a verification routine: check signatures and verification sums, avoid the direct execution of unknown executables, analyze artifacts in sandboxes or virtual machines, and rely on detection solutions that inspect behaviors and not just static signatures. For teams and project managers, it is essential to review build pipelines and publish artifacts with as little sensitive information as possible; sources maps and other auxiliary products can reveal more than desired if accidentally exposed.

The Claude Code episode serves as a reminder that the intersection between public disclosure, technical curiosity and malware business is a fertile ground for abuse. It is not just a code publication error: it is a wake-up call on how technical information is managed and consumed in the era of instant search.