In late March 2026, a critical mistake at Anthropic unintentionally exposed internal source material linked to its Claude Code platform, triggering a rapid wave of cyberattacks. Although the company quickly acted to contain the issue, threat actors wasted no time exploiting the situation.
Initially, the incident stemmed from a packaging error during a routine update. On March 31, 2026, Anthropic accidentally included a large 59.8 MB JavaScript source map file within its npm package. As a result, approximately 513,000 lines of original TypeScript code became publicly accessible. This exposed sensitive components, including unreleased features, internal model codenames, and proprietary security mechanisms designed to protect API data from misuse.
However, the consequences escalated almost immediately. Within just 24 hours, cybercriminals launched a large-scale social engineering campaign on GitHub. They created fake repositories and distributed malicious files disguised as the leaked Claude Code software. Consequently, unsuspecting developers and users who downloaded these files unknowingly exposed their systems to credential-stealing malware.
Moreover, the attack chain demonstrated a high level of sophistication. Once a victim downloaded and extracted the fake archive, a Rust-compiled dropper program activated. To begin with, the malware conducted extensive anti-analysis checks. It scanned for virtual machines, sandbox environments, and debugging tools. If it detected any signs of a research setup, it immediately terminated itself to avoid detection.
In addition, the malware employed a unique hardware evaluation technique. Specifically, it assessed the victim’s graphics card, targeting modern gaming PCs. This strongly suggests that attackers prioritized high-performance machines, likely for cryptocurrency mining or stealing valuable gaming-related credentials.
Once the system passed these checks, the malware executed an encrypted script to disable key Windows Defender protections. Subsequently, it deployed two primary payloads: Vidar and GhostSocks. Vidar, in particular, is widely known for harvesting browser passwords, session tokens, cryptocurrency wallets, and critical system data.
According to research from Trend Micro, this incident underscores a crucial reality: human error continues to be a leading cause of cybersecurity breaches. Even a minor oversight, such as a packaging mistake, can quickly escalate into a major security crisis when exploited by threat actors.
Therefore, experts strongly recommend that organizations enforce strict software installation policies. Developers should only download tools from verified and official sources. Furthermore, companies must deploy advanced endpoint detection solutions capable of identifying behavioral anomalies and Rust-based malware to defend against evolving social engineering attacks.
Ultimately, this incident highlights how quickly cyber threats can evolve when sensitive information is exposed. It also reinforces the importance of proactive cybersecurity strategies in an increasingly AI-driven landscape.
Recommended Cyber Technology News:
- Solana Launches STRIDE Framework to Boost DeFi Security
- Keeper Security Highlights Risks in Non Human Identity Security
- Barndoor Expands AI Governance With Microsoft 365 Integration
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
