Fake Claude Code Source Downloads Used to Push Vidar and GhostSocks Malware

by Justin Erickson

A threat actor is using the recent Claude Code source leak by Anthropic on March 31st to lure users to a malicious GitHub repository claiming to have “‘unlocked enterprise features’ and no usage restrictions.” The malicious archive contains a Rust-based dropper called ClaudeCode_x64.exe. When it’s run, it installs Vidar v18.7, an information stealer, and GhostSocks, which turns infected devices into proxy infrastructures. Vidar can collect account credentials, credit card data, and browser data. A second related GitHub repository with identical code was also identified, suggesting the same threat actor may have been testing different delivery methods. For more in depth information, check out the articles below.