Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads

    Monday, April 6, 2026 In: Threat Research Print

    Date: 04/06/2026

    Severity: High

    Summary

    Following the accidental leak of Anthropic’s Claude Code, threat actors quickly exploited the incident by creating fake “leaked” repositories to distribute malware such as Vidar stealer and GhostSocks. The campaign, part of a broader operation impersonating multiple software brands, abuses trusted platforms like GitHub Releases to deliver trojanized payloads and evade detection. This activity highlights how attackers weaponize public events and trusted channels for malware distribution, while also underscoring long-term risks from exposed source code, including vulnerability discovery and increased attack surface for AI-driven systems.

    Indicators of Compromise (IOC) List 

    Domains/Urls

    https://147.45.197.92:443

    https://94.228.161.88:443

    https://pastebin.com/raw/mcwWi1Ue

    https://rti.cargomanbd.com

    https://snippet.host/efguhk/raw

    https://socifiapp.com/api/reports/upload

    https://steamcommunity.com/profiles/76561198721263282

    https://steamcommunity.com/profiles/76561198742377525

    https://telegram.me/dikkh0k

    https://telegram.me/g1n3sss

    serverconect.cc

    github.com/Kawaii-GPT-ai/KawaiiGPT

    github.com/LTX-desktop/LTX-2.3

    github.com/OtisChin/open-claude-code

    github.com/ai-wormGPT/wormGPT

    github.com/claude-ai-opus-4-6/claude-opus-4.6

    github.com/idbzoomh1

    github.com/leaked-claude-code/leaked-claude-code

    github.com/my3jie/leaked-claude-code

    github.com/nvidia-nemoclaw/NemoClaw

    github.com/realtime-voice-changer-app/realtime-voice-changer

    IP Address

    185.196.9.98

    121.127.33.212

    144.31.123.157

    144.31.139.201

    144.31.139.203

    144.31.204.136

    144.31.204.145

    147.45.197.92

    172.245.112.202

    193.143.1.155

    193.143.1.160

    193.23.211.29

    194.28.225.230

    206.245.157.177

    64.188.70.194

    77.239.120.249

    77.239.121.3

    84.201.4.120

    87.251.87.137

    93.185.159.90

    94.228.161.88

    Hash

    17145a933525ca8a6f29a818cf0fd94c37f20836090791bec349ae6e705670d4

    52e83c718ca96a12b98c5b31af177204145837f4208b0ee0c8e9c2b454795a64

    7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a

    80920e8843ead75c58d56f55d351dbff01ccf9f28090e401479f21d651190b41

    0b6ed577b993fd81e14f9abbef710e881629b8521580f3a127b2184685af7e05

    0f69513905b9aeca9ad2659ae16f4363ac03a359abeac9ac05cab70a50f17b65

    18467faa4fa10ea30fef2012fbd2c36f31407d0466b4e880dd1b6e1e37c9aff6

    249058ce8dc6e74cff9fb84d4d32c82e371265b40d02bb70b7955dceea008139

    2a4a8f58ad259bde54e9d37cc4a86563797c99a5dc31a0ae39a92f7807b846b9

    30be8190db0627a363927be8b8c8f38f31891fb8958b3691944b69533f6770b3

    36c4bb55b7e4c072e0cbc344d85b3530aca8f0237cc4669aecdd4dd8f67ab43a

    385d00d5dcefa918858e1d2d6623e7d1155f972b694f48944f98fcceb2624211

    44d40a9e59f08252a22939f76c92362c15a1ffab0dd3a4e3414bf4a5adc5d7c4

    518ff5fbfa4296abf38dfc342107f70e1491a7460978da6315a75175fb70e2b3

    537243230e14fb0f82bee8f51cac2e1d7ae955bb497c78b109972df51690edcf

    789835888a76eca8cc9e8625004607be99a90ec9f7a4db06c568a69ccb76bd60

    8090c3ecad7e4559ead21be02c564d20329e21fe3f449bcd9dbd8734f041aebd

    87133e737b2892cebee006068b341012e2c07db1526c08d0a13d0e0cf11d25d1

    96db6133e7ca04264ffdf18928c394376323c283a82e8106feec2ac28ee21eeb

    b73bd2e4cb16e9036aa7125587c5b3289e17e62f8831de1f9709896797435b82

    cce96b39831ce36b9fd1262a7cf4024218dbb3e2c7f1829c261cf79e5c9b50a8

    f96d80f7702cb1d5a340ab774e759e3357790c131cfac14a018716813dbc54dd

    40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378

    a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b556e50704b5c8908740ed5

    b4554c85f50c56d550d6c572a864deb0442404ddefe05ff27facb3cbfb90b4d6

    d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846

    e13d9304f7ebdab13f6cb6fae3dff3a007c87fed59b0e06ebad3ecfebf18b9fd

    f03e38e1c39ac52179e43107cf7511b9407edf83c008562250f5f340523b4b51

    03a0a9948a220b635ba3dbf71e64a5dfcc0a4a4efcce76ff9f3d664faef68a3e

    06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf

    192f893bad1b188f6a95b59ce92170dd037bf8a0b9b271557f8add0bea09b1e4

    1fe8a6df98ac1984daaba257504ba00b2932021ba264a49ff70e797d1a8b83e6

    4183fa32ceee134369924cf1124e7db0fda8d748511b6d3b327ae35e990f54e9

    4adb51eb159b99cba7dc3749325348836827f43cedc45672df16c408d864f28c

    4c1577d5fb6e36ad863ac0168a82bb40db707d5427a16bc5510ce7d8f17a54b0

    54d69b135e557bebf9bb6c837544d057194d53b695aa9c73013196501894df3b

    65953a2916844c386fea0b3399618e1b1d5ee8d0cc7d5a1de0ac7e35ea02b90d

    6c446cd445e76874c2606b5cb355e033a61514f8ea0fe94f0c0c31ee702ea8f2

    7b072c13bae667ee4a077b48e3572468672b8593fb9b7adcf93230daf2c69e87

    802355ad0d78f9a33ac7cee8f3b2bd09a0c0258bddfab502ed284e4a1b0b97ea

    80d6b8d37d86543ff72614f63a6dab5828e4dd54a1af5836c157bde764f5a865

    81abcdbad6597af9edd4c1b5de6af94f288609a4238033e8c7d703ca4fe5118e

    839ec43959d298599c05bb20003487a76ceefed9fb0bdfae780f14009d5cd47d

    8595715812ca39aefe2eba284aee8036463c35b594e528f9372386c1db7ad813

    879430b25ffdc2ff52e083bace983e6915c2c74e0825c6e52d2c7436ab8d64a9

    905f5697b42d00081c7f564631506f891fea3babc639655df9a3979c983abe00

    92ea932a9fde49bffe94442c956df51d5e24b790dce0987413dcfd2bd6533006

    96384813d1fa06eb4cf98b0ae4c91817d540014dc7b2be645c6c43acec0f8e53

    9644f44d3f7d25bc91c74d52c76ef48e2a74e5e0c07d78892f708266129e7dcc

    9b8ce5fb1572d76340886e04d0e8d3318ef01ffe55d6efa5e8fb5c4ae4980b3c

    a181785b9f4e5b7186bf70aa23c8cabd5cc853d023c9a16225de882a7a1a737d

    a803e68ba6c00cd435d2f8c13087d778552f13ebc3354dc91b4638efdf1d03b0

    a91db63f47be1a86e7b67eb9245ec673bd916c136614d1bbe3ad224fd2e56e81

    aa5823a9338dddc56ed8512605e5c25b2b1c030f8fcc27594604e3c3611412c5

    afa34c71a45f21d599c0bd90ac9026f68727aab0019c3b378956401475180c9c

    b285d84ac95b277fd9518a25793536f17a053f18ec4bf4b7bd0143c0eec6c1b4

    bebfe4ad683680d4fc433fa8d418e9bbd8e5c3468e5c4a6827a7eaab81f19a5f

    bef345a58bead10b9b556a64788a4ee948e86403af142223659f7add09ec6779

    c9486f3249f9fd37073142bea47debb9aa11a4de5cfeb12078a59749a5a12407

    e29ad19eb8558def511aeb450287b80bbf92a2ff5d92401df200863ce25631db

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://steamcommunity.com/profiles/76561198721263282" or url like "https://steamcommunity.com/profiles/76561198721263282" or siteurl like "https://steamcommunity.com/profiles/76561198721263282" or domainname like "https://telegram.me/dikkh0k" or url like "https://telegram.me/dikkh0k" or siteurl like "https://telegram.me/dikkh0k" or domainname like "serverconect.cc" or url like "serverconect.cc" or siteurl like "serverconect.cc" or domainname like "https://pastebin.com/raw/mcwWi1Ue" or url like "https://pastebin.com/raw/mcwWi1Ue" or siteurl like "https://pastebin.com/raw/mcwWi1Ue" or domainname like "https://steamcommunity.com/profiles/76561198742377525" or url like "https://steamcommunity.com/profiles/76561198742377525" or siteurl like "https://steamcommunity.com/profiles/76561198742377525" or domainname like "https://snippet.host/efguhk/raw" or url like "https://snippet.host/efguhk/raw" or siteurl like "https://snippet.host/efguhk/raw" or domainname like "https://telegram.me/g1n3sss" or url like "https://telegram.me/g1n3sss" or siteurl like "https://telegram.me/g1n3sss" or domainname like "https://rti.cargomanbd.com" or url like "https://rti.cargomanbd.com" or siteurl like "https://rti.cargomanbd.com" or domainname like "https://socifiapp.com/api/reports/upload" or url like "https://socifiapp.com/api/reports/upload" or siteurl like "https://socifiapp.com/api/reports/upload" or domainname like "https://147.45.197.92:443" or siteurl like "https://147.45.197.92:443" or url like "https://147.45.197.92:443" or domainname like "https://94.228.161.88:443" or siteurl like "https://94.228.161.88:443" or url like "https://94.228.161.88:443" or domainname like "github.com/Kawaii-GPT-ai/KawaiiGPT" or siteurl like "github.com/Kawaii-GPT-ai/KawaiiGPT" or url like "github.com/Kawaii-GPT-ai/KawaiiGPT" or domainname like "github.com/LTX-desktop/LTX-2.3" or siteurl like "github.com/LTX-desktop/LTX-2.3" or url like "github.com/LTX-desktop/LTX-2.3" or domainname like "github.com/OtisChin/open-claude-code" or siteurl like "github.com/OtisChin/open-claude-code" or url like "github.com/OtisChin/open-claude-code" or domainname like "github.com/ai-wormGPT/wormGPT" or siteurl like "github.com/ai-wormGPT/wormGPT" or url like "github.com/ai-wormGPT/wormGPT" or domainname like "github.com/claude-ai-opus-4-6/claude-opus-4.6" or siteurl like "github.com/claude-ai-opus-4-6/claude-opus-4.6" or url like "github.com/claude-ai-opus-4-6/claude-opus-4.6" or domainname like "github.com/idbzoomh1" or siteurl like "github.com/idbzoomh1" or url like "github.com/idbzoomh1" or domainname like "github.com/leaked-claude-code/leaked-claude-code" or siteurl like "github.com/leaked-claude-code/leaked-claude-code" or url like "github.com/leaked-claude-code/leaked-claude-code" or domainname like "github.com/my3jie/leaked-claude-code" or siteurl like "github.com/my3jie/leaked-claude-code" or url like "github.com/my3jie/leaked-claude-code" or domainname like "github.com/nvidia-nemoclaw/NemoClaw" or siteurl like "github.com/nvidia-nemoclaw/NemoClaw" or url like "github.com/nvidia-nemoclaw/NemoClaw" or domainname like "github.com/realtime-voice-changer-app/realtime-voice-changer" or siteurl like "github.com/realtime-voice-changer-app/realtime-voice-changer" or url like "github.com/realtime-voice-changer-app/realtime-voice-changer"

    Detection Query 2 :

    dstipaddress IN ("64.188.70.194","185.196.9.98","84.201.4.120","147.45.197.92","77.239.121.3","144.31.204.145","193.23.211.29","77.239.120.249","144.31.139.201","193.143.1.160","206.245.157.177","87.251.87.137","193.143.1.155","144.31.139.203","94.228.161.88","144.31.204.136","194.28.225.230","93.185.159.90","144.31.123.157","121.127.33.212","172.245.112.202") or srcipaddress IN ("64.188.70.194","185.196.9.98","84.201.4.120","147.45.197.92","77.239.121.3","144.31.204.145","193.23.211.29","77.239.120.249","144.31.139.201","193.143.1.160","206.245.157.177","87.251.87.137","193.143.1.155","144.31.139.203","94.228.161.88","144.31.204.136","194.28.225.230","93.185.159.90","144.31.123.157","121.127.33.212","172.245.112.202")

    Detection Query 3 :

    sha256hash IN ("1fe8a6df98ac1984daaba257504ba00b2932021ba264a49ff70e797d1a8b83e6","e13d9304f7ebdab13f6cb6fae3dff3a007c87fed59b0e06ebad3ecfebf18b9fd","03a0a9948a220b635ba3dbf71e64a5dfcc0a4a4efcce76ff9f3d664faef68a3e","789835888a76eca8cc9e8625004607be99a90ec9f7a4db06c568a69ccb76bd60","a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b556e50704b5c8908740ed5","40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378","87133e737b2892cebee006068b341012e2c07db1526c08d0a13d0e0cf11d25d1","839ec43959d298599c05bb20003487a76ceefed9fb0bdfae780f14009d5cd47d","4adb51eb159b99cba7dc3749325348836827f43cedc45672df16c408d864f28c","8595715812ca39aefe2eba284aee8036463c35b594e528f9372386c1db7ad813","802355ad0d78f9a33ac7cee8f3b2bd09a0c0258bddfab502ed284e4a1b0b97ea","0f69513905b9aeca9ad2659ae16f4363ac03a359abeac9ac05cab70a50f17b65","2a4a8f58ad259bde54e9d37cc4a86563797c99a5dc31a0ae39a92f7807b846b9","06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf","17145a933525ca8a6f29a818cf0fd94c37f20836090791bec349ae6e705670d4","4183fa32ceee134369924cf1124e7db0fda8d748511b6d3b327ae35e990f54e9","8090c3ecad7e4559ead21be02c564d20329e21fe3f449bcd9dbd8734f041aebd","385d00d5dcefa918858e1d2d6623e7d1155f972b694f48944f98fcceb2624211","cce96b39831ce36b9fd1262a7cf4024218dbb3e2c7f1829c261cf79e5c9b50a8","249058ce8dc6e74cff9fb84d4d32c82e371265b40d02bb70b7955dceea008139","92ea932a9fde49bffe94442c956df51d5e24b790dce0987413dcfd2bd6533006","30be8190db0627a363927be8b8c8f38f31891fb8958b3691944b69533f6770b3","192f893bad1b188f6a95b59ce92170dd037bf8a0b9b271557f8add0bea09b1e4","36c4bb55b7e4c072e0cbc344d85b3530aca8f0237cc4669aecdd4dd8f67ab43a","9644f44d3f7d25bc91c74d52c76ef48e2a74e5e0c07d78892f708266129e7dcc","905f5697b42d00081c7f564631506f891fea3babc639655df9a3979c983abe00","a91db63f47be1a86e7b67eb9245ec673bd916c136614d1bbe3ad224fd2e56e81","aa5823a9338dddc56ed8512605e5c25b2b1c030f8fcc27594604e3c3611412c5","52e83c718ca96a12b98c5b31af177204145837f4208b0ee0c8e9c2b454795a64","7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a","537243230e14fb0f82bee8f51cac2e1d7ae955bb497c78b109972df51690edcf","9b8ce5fb1572d76340886e04d0e8d3318ef01ffe55d6efa5e8fb5c4ae4980b3c","80920e8843ead75c58d56f55d351dbff01ccf9f28090e401479f21d651190b41","a803e68ba6c00cd435d2f8c13087d778552f13ebc3354dc91b4638efdf1d03b0","bef345a58bead10b9b556a64788a4ee948e86403af142223659f7add09ec6779","c9486f3249f9fd37073142bea47debb9aa11a4de5cfeb12078a59749a5a12407","d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846","afa34c71a45f21d599c0bd90ac9026f68727aab0019c3b378956401475180c9c","879430b25ffdc2ff52e083bace983e6915c2c74e0825c6e52d2c7436ab8d64a9","81abcdbad6597af9edd4c1b5de6af94f288609a4238033e8c7d703ca4fe5118e","0b6ed577b993fd81e14f9abbef710e881629b8521580f3a127b2184685af7e05","a181785b9f4e5b7186bf70aa23c8cabd5cc853d023c9a16225de882a7a1a737d","e29ad19eb8558def511aeb450287b80bbf92a2ff5d92401df200863ce25631db","b4554c85f50c56d550d6c572a864deb0442404ddefe05ff27facb3cbfb90b4d6","f03e38e1c39ac52179e43107cf7511b9407edf83c008562250f5f340523b4b51","4c1577d5fb6e36ad863ac0168a82bb40db707d5427a16bc5510ce7d8f17a54b0","96384813d1fa06eb4cf98b0ae4c91817d540014dc7b2be645c6c43acec0f8e53","44d40a9e59f08252a22939f76c92362c15a1ffab0dd3a4e3414bf4a5adc5d7c4","80d6b8d37d86543ff72614f63a6dab5828e4dd54a1af5836c157bde764f5a865","18467faa4fa10ea30fef2012fbd2c36f31407d0466b4e880dd1b6e1e37c9aff6","96db6133e7ca04264ffdf18928c394376323c283a82e8106feec2ac28ee21eeb","b285d84ac95b277fd9518a25793536f17a053f18ec4bf4b7bd0143c0eec6c1b4","f96d80f7702cb1d5a340ab774e759e3357790c131cfac14a018716813dbc54dd","54d69b135e557bebf9bb6c837544d057194d53b695aa9c73013196501894df3b","518ff5fbfa4296abf38dfc342107f70e1491a7460978da6315a75175fb70e2b3","b73bd2e4cb16e9036aa7125587c5b3289e17e62f8831de1f9709896797435b82","65953a2916844c386fea0b3399618e1b1d5ee8d0cc7d5a1de0ac7e35ea02b90d","7b072c13bae667ee4a077b48e3572468672b8593fb9b7adcf93230daf2c69e87","bebfe4ad683680d4fc433fa8d418e9bbd8e5c3468e5c4a6827a7eaab81f19a5f","6c446cd445e76874c2606b5cb355e033a61514f8ea0fe94f0c0c31ee702ea8f2")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/d/weaponizing-trust-claude-code-lures-and-github-release-payloads.html


    Tags

    MalwareExploitVidarStealerGitHubTrojanAI

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.