Anthropic Claude Code Leak

    Thursday, April 2, 2026 In: Threat Research Print

    Date: 04/02/2026

    Severity: High

    Summary

    In March 2026, Anthropic accidentally exposed the full source code of its Claude Code AI agent through a misconfigured npm package that included a large JavaScript source map file. The leak revealed hundreds of thousands of lines of unobfuscated code, exposing internal architecture, agent orchestration logic, and security-related components. The code was rapidly mirrored and widely distributed across public repositories despite takedown efforts. Additionally, threat actors exploited the incident as a lure to distribute malware such as Vidar and GhostSocks, highlighting both the security risks of accidental exposure and its immediate abuse in cybercriminal campaigns.

    Indicators of Compromise (IOC) List

    Domains/Urls

    https://steamcommunity.com/profiles/76561198721263282

    https://telegram.me/g1n3sss

    https://147.45.197.92:443

    https://94.228.161.88:443

    https://github.com/leaked-claude-code/leaked-claude-code

    https://github.com/my3jie/leaked-claude-code

    https://github.com/idbzoomh1

    Hash

    d8256fbc62e85dae85eb8d4b49613774

    8660646bbc6bb7dc8f59a764e25fe1fd

    77c73bd5e7625b7f691bc00a1b561a0f

    81fb210ba148fd39e999ee9cdc085dfc

    9a6ea91491ccb1068b0592402029527f

    3388b415610f4ae018d124ea4dc99189

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://147.45.197.92:443" or siteurl like "https://147.45.197.92:443" or url like "https://147.45.197.92:443" or domainname like "https://steamcommunity.com/profiles/76561198721263282" or siteurl like "https://steamcommunity.com/profiles/76561198721263282" or url like "https://steamcommunity.com/profiles/76561198721263282" or domainname like "https://github.com/leaked-claude-code/leaked-claude-code" or siteurl like "https://github.com/leaked-claude-code/leaked-claude-code" or url like "https://github.com/leaked-claude-code/leaked-claude-code" or domainname like "https://94.228.161.88:443" or siteurl like "https://94.228.161.88:443" or url like "https://94.228.161.88:443" or domainname like "https://github.com/idbzoomh1" or siteurl like "https://github.com/idbzoomh1" or url like "https://github.com/idbzoomh1" or domainname like "https://telegram.me/g1n3sss" or siteurl like "https://telegram.me/g1n3sss" or url like "https://telegram.me/g1n3sss" or domainname like "https://github.com/my3jie/leaked-claude-code" or siteurl like "https://github.com/my3jie/leaked-claude-code" or url like "https://github.com/my3jie/leaked-claude-code"

    Detection Query 2 :

    md5hash IN ("d8256fbc62e85dae85eb8d4b49613774","8660646bbc6bb7dc8f59a764e25fe1fd","81fb210ba148fd39e999ee9cdc085dfc","77c73bd5e7625b7f691bc00a1b561a0f","9a6ea91491ccb1068b0592402029527f","3388b415610f4ae018d124ea4dc99189")

    Reference:    

    https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak          


    Tags

    MalwareAIVidarNode Package Manager (NPM)Obfuscation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.