The recent code leak involving Anthropic has taken a dangerous turn, as cybercriminals rapidly weaponize the exposed data to launch targeted malware campaigns. What began as an internal packaging mistake has now escalated into a full-scale security threat, with attackers exploiting the leaked code of Claude Code to deceive developers and compromise systems.
The incident traces back to March 31, 2026, when Anthropic accidentally published a public npm package containing a JavaScript source map file. This file exposed more than 500,000 lines of unobfuscated TypeScript, revealing sensitive internal logic and operational structures of its AI-powered coding assistant. Although no user data or model weights were leaked, the exposed architecture provided enough insight for attackers to reverse-engineer potential attack paths. Following disclosure by security researcher Chaofan Shou, the code quickly spread across platforms like GitHub, where it was widely mirrored and forked.
Almost immediately, threat actors began exploiting the situation by creating malicious repositories disguised as legitimate copies of the leaked code. These repositories are carefully designed to rank highly in search results, increasing the likelihood that unsuspecting developers will download them. Instead of providing authentic source code, these malicious versions contain harmful payloads that initiate infection once executed.
Security researchers from Zscaler have uncovered one such campaign, where attackers distribute a Rust-based dropper hidden inside a downloadable archive. When executed, the dropper installs two dangerous malware strains: Vidar, which is used to extract sensitive credentials and personal data, and GhostSocks, which turns infected systems into proxy nodes for malicious network activity. This combination allows attackers not only to steal valuable information but also to leverage compromised machines for further attacks.
What makes this threat particularly severe is the depth of insight the leaked code provides. The exposed files include details about execution layers, permission systems, and automated scripting capabilities. These insights enable attackers to craft highly precise exploits, potentially allowing silent system takeovers or unauthorized command execution. In many cases, simply cloning a malicious repository or opening a compromised project file could be enough to trigger the attack without obvious warning signs.
This incident highlights the growing risks associated with software supply chain attacks, especially within developer ecosystems. Organizations are now being urged to take immediate precautions, including restricting downloads to verified sources and avoiding any repositories claiming to host leaked proprietary code. Strengthening security frameworks, such as adopting Zero Trust principles and segmenting development environments, can significantly reduce the impact of such attacks.
As the situation continues to evolve, it serves as a stark reminder that even a single exposure in the software development lifecycle can quickly cascade into widespread exploitation. For developers and organizations alike, vigilance and strict adherence to secure coding and sourcing practices are now more critical than ever.
Recommended Cyber Technology News :
- Dell and HP Launch Quantum-Resistant Security for Devices
- IMC Expands into Drone, Satellite Intelligence Sector
- Enphase Energy Secures EU Cybersecurity Compliance for Wireless-Enabled Products
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
