Threat Actors Exploit Claude Code Leak to Distribute Vidar Malware via Fake GitHub Repositories
AI-generated from multiple sources. Verify before acting on this reporting.
SAN FRANCISCO — Cybersecurity researchers have identified a new campaign in which threat actors are exploiting a recent source code leak from Claude Code to distribute Vidar information-stealing malware through counterfeit GitHub repositories.
The malicious activity was detected on April 2, 2026, when security analysts observed unauthorized repositories appearing on the code-sharing platform. The repositories mimic legitimate Claude Code projects, utilizing similar naming conventions and file structures to deceive developers and system administrators. Once users download or execute the compromised code, the embedded Vidar malware activates, designed to harvest sensitive data including login credentials, browser history, and cryptocurrency wallet information.
Vidar is a well-known infostealer that has been used in various cyberattacks over the past several years. The malware operates by scanning infected systems for specific file types and configurations associated with popular applications and services. It then exfiltrates this data to remote command-and-control servers controlled by the threat actors.
The exploitation of the Claude Code leak marks a significant escalation in the sophistication of these attacks. By leveraging legitimate-looking code repositories, the threat actors are able to bypass traditional security measures that rely on reputation-based filtering. The fake repositories are hosted on GitHub, a platform widely used by developers for version control and collaboration, making the attack particularly effective in targeting the software development community.
Security experts warn that the use of GitHub for malware distribution is not new, but the scale and targeting of this campaign are concerning. The attackers are specifically targeting developers who may be more likely to trust code repositories associated with popular AI tools like Claude Code. This targeted approach increases the likelihood of successful infections and data breaches.
The incident has raised questions about the security practices surrounding open-source code repositories and the measures in place to detect and prevent malicious activity on platforms like GitHub. While the platform has mechanisms to flag and remove suspicious repositories, the speed at which these fake repositories are created and the sophistication of the social engineering tactics used make detection challenging.
As of now, it remains unclear how many developers have been affected by this campaign or the extent of the data that has been compromised. Security firms are working to identify and remove the malicious repositories, but new ones continue to appear as the threat actors adapt their tactics.
The incident underscores the ongoing challenge of securing the software supply chain and the need for developers to exercise caution when downloading and executing code from third-party sources. As the investigation continues, cybersecurity professionals are urging organizations to implement additional layers of protection, including code signing and runtime monitoring, to mitigate the risk of similar attacks in the future.