Deconstructing digital infrastructure and the threats targeting it

Back
cybersecurity

Claude Code Source Leak and Active Malware Campaign

Technical record of the March 31, 2026 Anthropic npm packaging failure, the concurrent axios supply chain compromise, and the Vidar/GhostSocks campaign that followed.

April 3, 2026 · High (malware campaign) / Medium (source exposure)

Situation Summary

On March 31, 2026, Anthropic published version 2.1.88 of Claude Code to the public npm registry with a 59.8 MB JavaScript source map file bundled inside. The file contained the full, unobfuscated TypeScript source of Claude Code — 512,000 lines across 1,906 files — and a direct pointer to a publicly accessible zip archive on Anthropic's own Cloudflare R2 storage. No authentication required to download either.

This was not a breach. A missing entry in a packaging configuration file allowed a debug artifact to ship to production. Anthropic confirmed human error. No customer data, API credentials, or model weights were exposed.

The same packaging failure had occurred once before, on Claude Code's original launch day in February 2025. The fix identified at that time was not implemented before the second incident occurred thirteen months later.

Within hours of public disclosure, threat actors deployed trojanized repositories on GitHub using the leak as a lure, delivering Vidar v18.7 and GhostSocks to developers searching for the exposed source. That campaign is active and the primary operational risk from this incident for most readers.

Incident Timeline

Time (UTC) Event
2026-03-31 00:21 Malicious axios 1.14.1 and 0.30.4 published to npm via compromised maintainer account. Both contain an embedded Remote Access Trojan delivered via dependency plain-crypto-js.
2026-03-31 03:29 Malicious axios versions removed from npm. Exposure window: 3 hours 8 minutes.
2026-03-31 ~04:00 Claude Code v2.1.88 pushed to npm with 59.8 MB cli.js.map bundled. R2 bucket publicly accessible.
2026-03-31 04:23 Chaofan Shou (@Fried_rice, intern at Solayer Labs) posts discovery on X with direct download link.
2026-03-31 ~06:00 Codebase mirrored to GitHub. Clean-room rewrite hits 50,000 stars in under two hours — reportedly the fastest repository in GitHub history to reach that mark.
2026-03-31 ~08:00 Anthropic pulls v2.1.88 from npm. Issues statement to VentureBeat, The Register, CNBC: "release packaging issue caused by human error, not a security breach."
2026-04-01 Anthropic DMCA takedowns disable 8,100+ GitHub repositories, including unintentionally forks of Anthropic's own public repo containing no leaked code. Anthropic engineer Boris Cherny confirms the overreach was unintentional. GitHub restores affected forks.
2026-04-02 Zscaler ThreatLabz publishes analysis of active Vidar/GhostSocks campaign using leak as lure.

Root Cause

Three independent failures compounded. Any one of them, caught, would have stopped the leak.

1. Missing .npmignore entry Anthropic builds Claude Code using Bun, the JavaScript runtime the company acquired in December 2025. Bun generates *.map source map files during the build process by default. The standard exclusion is a single line in .npmignore:

*.map

That line was absent. The 59.8 MB cli.js.map file shipped inside the published package.

2. Open Bun bug #28001 A known Bun issue (filed March 11, 2026 — 20 days before the incident) documented that source maps were being emitted in production builds despite documentation stating they should not be. The bug was unresolved at the time of the release. Anthropic owns Bun. The bug was in their own toolchain.

3. Unautomated deployment step Boris Cherny, Anthropic's head of Claude Code, confirmed publicly that the incident involved a manual deployment step that should have been automated — the same root cause identified after the February 2025 incident. The automation was not implemented in the 13 months between the two events.

The R2 bucket The source map contained a reference to a zip archive on Anthropic's Cloudflare R2 storage. That bucket was publicly accessible. This was a separate misconfiguration from the .npmignore failure — it provided a second, easier path to the same material without needing to parse the map file.

Scope of Exposed Material

Component Detail
Source files 1,906 TypeScript files
Lines of code ~512,000–513,000
Unshipped feature flags 44 gating ~20 unreleased capabilities
Internal system prompts Full text exposed
Unreleased model codenames Capybara, Tengu, others

What was not exposed: model weights, customer data, API keys, inference infrastructure, safety pipelines.

KAIROS and autoDream

Referenced over 150 times in the codebase, KAIROS is an unreleased autonomous background agent mode gated behind compile-time flags that evaluate to false in external builds. When active, it operates as a persistent daemon — maintaining append-only daily logs, subscribing to GitHub webhooks, and performing a process called autoDream during idle periods.

autoDream consolidates memory across sessions: merging observations from session transcripts, removing logical contradictions, and converting vague notes into structured facts. The system uses MEMORY.md as a lightweight index (~150 characters per entry) rather than loading full session history, with a write discipline constraint that prevents memory updates unless a filesystem write is confirmed — to avoid polluting long-term state with hallucinated operations.

None of this is in the version of Claude Code developers download. All of it is now in permanent public circulation.

Undercover Mode

src/utils/undercover.ts (~89 lines) activates for Anthropic employees (USER_TYPE === 'ant') when Claude Code is used on a non-internal repository. When active, it:

  • Strips Co-Authored-By attribution from commits
  • Suppresses internal model codenames and unreleased version numbers
  • Prohibits references to internal tools, Slack channels, and upcoming features
  • Injects a system prompt that includes: "You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository... Do not blow your cover."

The module is dead-code-eliminated in external builds. It does not exist in the version developers download.

Security Validator Chain

The bash security module (bashSecurity.ts, ~2,500 lines) runs a chain of 23+ validators before allowing shell commands to execute. The source code contains internal comments from the Safeguards team documenting a known ordering issue: validateGitCommit can return an allow decision that short-circuits the chain before validateRedirections runs. The comment reads, in part: "validateGitCommit returns allow → bashCommandIsSafe short-circuits → validateRedirections NEVER runs → ~/.bashrc overwritten."

This was a known, documented gap before the leak. It is now publicly documented.

Context Compaction Pipeline

Claude Code manages context pressure through a four-stage compression cascade that summarizes old conversation history to fit within the model's context window. The compaction instructions direct the model to preserve user messages and treat user feedback as high-priority.

Security firm Straiker identified this as an attack path: text injected into files the agent reads — a project configuration, a CLAUDE.md rule file, a repository README — can potentially survive the compression step and emerge on the other side treated as a trusted user directive. The readable source eliminates the research cost of finding this path.

Concurrent Supply Chain Attack: Axios

On March 31, 2026, between 00:21 and 03:29 UTC — hours before the Claude Code leak was discovered — attackers compromised the npm account of an axios maintainer and published malicious versions 1.14.1 and 0.30.4. Axios is one of npm's most widely downloaded packages at 83 million weekly downloads. The malicious versions contained an embedded Remote Access Trojan delivered via a dependency called plain-crypto-js.

Claude Code uses axios as a dependency. The two incidents are completely unrelated. The overlap is timing: developers who installed or updated Claude Code via npm during the 3-hour 8-minute axios exposure window may have pulled the trojanized axios dependency alongside the legitimately published (if mis-packaged) Claude Code.

Detection — check your lockfiles:

Search package-lock.json, yarn.lock, or bun.lockb for:

  • axios version 1.14.1
  • axios version 0.30.4
  • dependency plain-crypto-js

If any appear, treat the environment as potentially compromised and remediate accordingly.

Active Malware Campaign

Overview

Zscaler ThreatLabz identified and documented a malware distribution campaign using the leak as a social engineering lure, published April 2, 2026.

The pattern is standard post-disclosure tradecraft: a high-profile security event generates search volume, attackers optimize malicious repositories to intercept that traffic before legitimate sources rank. In this case, the repositories appeared in top Google results for "leaked Claude Code" at the time of Zscaler's analysis.

Threat actor: idbzoomh (primary GitHub account; additional mirror accounts documented in Zscaler IOC list) Lure: Fake repositories claiming to offer the leaked Claude Code source, advertising "unlocked enterprise features" and no usage limits Delivery: 7-Zip archive named Claude Code - Leaked Source Code.7z

Technical Chain

Stage 1 — Dropper The archive contains ClaudeCode_x64.exe, a Rust-based PE32+ executable. On execution it drops two payloads.

Stage 2a — Vidar v18.7 Commodity infostealer. Targets browser credential stores (Local State, Cookies, Login Data across Chromium-based browsers and Firefox), saved passwords, autofill data, credit card data, cryptocurrency wallet files, and active session cookies. C2 IP retrieved dynamically post-execution; exfiltration via POST to newly registered domains.

Stage 2b — GhostSocks SOCKS5 proxy implant. Turns the infected device into proxy infrastructure for criminal network operations. Persists after the initial infection session.

This is the same Vidar family that has appeared consistently throughout 2025–2026 in supply chain lure campaigns. The delivery mechanism changes. The payload does not.

MITRE ATT&CK

Technique ID
Supply Chain Compromise T1195.001
User Execution: Malicious File T1204.002
Credentials from Web Browsers T1555.003
Steal Web Session Cookie T1539
Proxy T1090

Indicators of Compromise

Files:

  • Claude Code - Leaked Source Code.7z
  • ClaudeCode_x64.exe (Rust-based PE32+ executable)

Behavioral:

  • Archive file claiming to contain Claude Code source downloaded from GitHub releases
  • Rust executable spawning additional processes post-execution
  • Outbound connections to newly registered domains following execution
  • Non-browser process accessing Chromium credential stores

Sigma Rule — Vidar Browser Credential Access:

title: Vidar Infostealer Browser Credential Access
status: experimental
description: >
  Detects non-browser process access to Chromium credential stores,
  consistent with Vidar infostealer post-execution behavior.
logsource:
    category: file_event
    product: windows
detection:
    target_files:
        TargetFilename|contains:
            - '\User Data\Local State'
            - '\User Data\Default\Network\Cookies'
            - '\User Data\Default\Login Data'
    filter_legitimate:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\brave.exe'
            - '\MsMpEng.exe'
        Image|startswith:
            - 'C:\Program Files\'
    condition: target_files and not 1 of filter_*
level: high
tags:
    - attack.credential_access
    - attack.t1539
    - attack.t1555.003

Persistent Attack Surface

The immediate packaging failure is remediated. Version 2.1.88 is pulled. The deployment process is being automated. What is not remediated is the permanent public availability of Claude Code's internal architecture — and the attack surface implications that follow for users of the current and future versions of the tool.

Compaction poisoning is now documented and accessible. The four-stage context compression pipeline, its instruction set, and the specific condition under which injected text survives compression are all in public repositories. Prior to the leak, finding this path required reverse engineering the minified bundle. That research cost is now zero. Any attacker building malicious repositories or project files targeting Claude Code users has a complete implementation reference.

The bash validator chain gap is publicly documented. The validateGitCommit short-circuit that bypasses validateRedirections was an internal Safeguards team finding before March 31. It is now in thousands of forks. Targeted exploitation of this path is more accessible than it was before the leak.

Feature flag names are a roadmap. The 44 feature flags and 20 unshipped capabilities give competitors and researchers precise insight into Anthropic's near-term product direction. This is not a security risk in the traditional sense, but it is a permanent strategic disclosure that cannot be undone.

The practical implication for Claude Code users is that the tool's permission prompts and security validators are now legible to anyone who wants to study how to circumvent them. Anthropic's response — pulling 2.1.88 and patching the deployment pipeline — addresses the source of the leak. It does not change what was already distributed.

Remediation

If you ran any file claiming to be leaked Claude Code

  1. Disconnect from the network immediately
  2. From a clean, unaffected device: reset passwords and MFA tokens for all critical accounts
  3. Revoke all active sessions on email, financial, and work accounts
  4. Run a full endpoint scan for Vidar and GhostSocks indicators (see IOCs above)
  5. Check Windows Scheduled Tasks and Startup folders for persistence mechanisms

If you updated Claude Code via npm on March 31 between 00:21–03:29 UTC

  1. Check lockfiles for axios 1.14.1, 0.30.4, or dependency plain-crypto-js
  2. If found: treat environment as compromised, rotate credentials

For ongoing Claude Code use

Use the native installer, not npm:

curl -fsSL https://claude.ai/install.sh | sh

Verify installed version is past 2.1.88. The native installer bypasses the npm registry for Claude Code distribution.

If you publish npm packages

The Claude Code incident is a clean example of a three-point failure that a single automated check would have caught. A pre-publish gate that scans the tarball for .map files costs almost nothing to implement:

# Verify package contents before publishing
npm pack --dry-run

# Explicit source map exclusion in .npmignore
*.map
*.js.map
*.ts.map

# Bun: explicit suppression flag
bun build --no-sourcemap

# Post-pack verification: check for unexpected large files
npm pack && tar -tzf *.tgz | awk '{print $NF, $5}' | sort -k2 -rn | head -20

Bottom Line

The packaging failure is contained. The code is not. 512,000 lines of Claude Code's internal architecture are permanently in public circulation across platforms that DMCA enforcement cannot reach. The immediate threat is not the source code itself — browsing it in a GitHub repository carries no risk. The threat is executables claiming to contain it.

Do not download or run archive files from unofficial sources claiming to be the leaked Claude Code. The repository is a lure. The executable is Vidar. The outcome is credential theft and your machine becoming proxy infrastructure for someone else's criminal operations.

References