Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub
Essential information
- Published
- 13/04/2026 16:19
- Modified
- 13/04/2026 14:48
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- ai security claude code leak ghostsocks ghostsocks trojan github delivery social engineering tradedownloader trojanized repositories vidar vidar stealer zero trust
- Tags
- 2026-04-13 ai security claude code leak ghostsocks ghostsocks trojan github delivery social engineering tradedownloader trojanized repositories vidar vidar stealer zero trust
- Related entities
- 10 indicators, 10 observables, 20 techniques (mitre), 3 malware, 1 others
Description
Cybercriminals are exploiting the recent Claude Code leak incident by using it as a social engineering tactic to deliver malware through GitHub repositories. The attackers have created trojanized versions of the leaked Claude source code, distributing malicious payloads including Vidar stealer version 18.7 and GhostSocks trojan. The campaign demonstrates rapid opportunistic exploitation of high-profile security incidents, with compromised repositories serving as delivery mechanisms. Organizations are advised to implement Zero Trust architecture to mitigate risks from shadow AI instances and trojanized Claude agents. Multiple GitHub repositories have been identified hosting the malicious code, with command and control infrastructure established across multiple IP addresses and domains.