Vidar

When the Claude Code source code leaked on March 31, 2026 via a poorly secured npm .map file, most attention focused on the embarrassment for Anthropic. Less discussed: the malware campaigns that were already being built on top of that leak within hours. As of today, threat actors are actively distributing Vidar infostealer malware and GhostSocks proxy through fake GitHub repositories designed to look like legitimate Claude Code forks. If you’ve been searching for Claude Code on GitHub in the last 48 hours, you may have encountered these repos. ...

The Claude Code source code leak of March 31, 2026 created an immediate security hazard: threat actors began distributing Vidar infostealer malware through convincing fake GitHub repositories within 24 hours. If you’ve cloned any Claude Code fork from an unofficial source since then, this guide is for you. This is a practical, step-by-step walkthrough for: Verifying whether you downloaded a legitimate or fake Claude Code repo What to do if you ran a malicious installer How to protect yourself going forward Step 1: Verify the Repository You Downloaded Check the GitHub organization The only legitimate Claude Code repository is under the official Anthropic GitHub organization: ...