Threat Actors Abuse Claude Code Leak In GitHub Malware Campaign

On March 31, a source code leak happened that revealed 59.8 MB of TypeScript source map and 512K lines of code. There was then a window of time between the leak and weaponization of 24 hours. The Claude Code incident shows that human error is still a big reason why security breaches happen.

To stop people from downloading AI tools from unofficial sources, companies must strictly follow their rules for installing software. To protect against fast-moving social engineering campaigns, it's important to use advanced endpoint detection systems that can find Rust-compiled droppers and behavioral anomalies. The AI tool lures Malware campaign using fake AI tools, including TradeAI.exe with 18 unique samples (Copilot, Cursor, AI tools), an active campaign.

Vidar is a well-known information thief that is made to aggressively steal system data, cryptocurrency wallets, session tokens, and browser passwords. GhostSocks is aimed at modern gaming PCs because it checks graphics cards. This suggests that attackers are most likely looking for high-performance machines to mine cryptocurrency or get valuable gaming credentials.

Once it is confirmed that it is running on a real target machine, it runs an encrypted script that systematically turns off important Windows Defender security features. This lets the dropper run its two main parts, Vidar and GhostSock. The malware uses a different system for scoring hardware. It goes after modern gamers by checking their graphics cards and going after them for mining.