Claude AI GitHub Scam: Fake Repos Spread Vidar Malware to Thousands of Developers
Cybercriminals weaponized Claude AI's popularity through fake GitHub repos, infecting thousands of developers with Vidar malware disguised as leaked source code—one of 2025's biggest supply chain attacks.
Introduction
In early 2025, cybercriminals orchestrated a sophisticated campaign that weaponized the popularity of Anthropic's Claude AI assistant, creating fake GitHub repositories that promised access to leaked source code and enterprise features. Within weeks, tens of thousands of developers unknowingly downloaded malware disguised as legitimate Claude Code tools, leading to widespread credential theft and system compromises. According to BleepingComputer, threat actors successfully distributed Vidar infostealer malware through repositories that appeared to offer the coveted Claude Code source.
The attack campaign exploited a perfect storm of circumstances: the explosive growth of AI coding assistants, developers' eagerness to access cutting-edge tools, and inherent trust in the GitHub platform. Compounding the threat, researchers discovered multiple critical vulnerabilities in Claude Code itself, including CVE-2026-25722, CVE-2026-33068, and CVE-2026-21852, which attackers leveraged to exfiltrate sensitive data. Zscaler's ThreatLabz confirmed active exploitation in the wild, marking this as one of the most significant supply chain attacks targeting the developer community in recent years.
The Anatomy of the Attack
How the Scam Operated
The attack began when a threat actor using the handle "idbzoomh" created malicious GitHub repositories designed to impersonate legitimate Claude Code leak sources. These repositories featured professional-looking documentation, convincing README files, and promises of "unlocked enterprise features" that would normally require paid subscriptions. The social engineering was remarkably effective—developers searching for Claude Code resources encountered these fake repositories prominently positioned in GitHub search results.
According to GitHub Security Advisory GHSA-jh7p-qr78-84p7, the malicious repositories contained multiple attack vectors. Rather than providing functional code, the repositories distributed ZIP archives containing Vidar infostealer malware. This sophisticated malware targets browser credentials, cryptocurrency wallets, credit card data, and API keys stored on compromised systems.
Technical Vulnerabilities Exploited
The campaign's effectiveness was amplified by genuine security flaws in Claude Code. CVE-2026-25722 represents a critical command injection vulnerability that allows attackers to execute arbitrary commands through specially-crafted directory names. When Claude Code processes a malicious repository, it fails to properly sanitize directory names, enabling attackers to embed shell commands that execute during repository scanning operations.
CVE-2026-33068 involves a workspace trust bypass mechanism. Normally, Claude Code prompts users to confirm trust before executing code from new repositories. However, attackers discovered they could manipulate .claude/settings files to skip this critical security dialog, allowing malicious code to execute automatically without user consent.
Perhaps most concerning is CVE-2026-21852, which enables API traffic redirection through attacker-controlled ANTHROPIC_BASE_URL environment variables. As detailed by SecurityWeek, this vulnerability allows attackers to intercept and steal Anthropic API keys before users even establish trust with a repository. The stolen keys can then be used for unauthorized API access, potentially costing victims thousands of dollars in fraudulent usage charges.
Impact and Scope
Who Was Affected
The primary victims were developers actively using or evaluating Claude Code integrations. Organizations implementing AI-assisted development workflows found themselves particularly vulnerable, as compromised developer machines often had access to sensitive corporate resources, including production API keys, source code repositories, and internal documentation.
The secondary impact extended far beyond individual developers. When API keys were stolen, attackers gained unauthorized access to corporate AI services, resulting in unexpected billing charges and potential data exposure. Companies whose credentials were compromised faced downstream breaches affecting their customers and partners, creating a cascading effect throughout software supply chains.
Scale of the Breach
Security researchers classified these vulnerabilities as critical severity. Zscaler's analysis revealed that attackers continuously updated their malicious ZIP archives to evade antivirus detection, demonstrating sophisticated operational security. Multiple GitHub repositories hosted identical scam content, with non-functional download buttons that redirected victims to malware distribution sites.
The stolen data included browser-saved credentials, financial information, session tokens, and intellectual property stored in local repositories. For organizations, the compromise of API keys meant attackers could query AI models with sensitive prompts, potentially extracting confidential information or racking up substantial usage costs.
Detection and Verification
Identifying Malicious Repositories
Developers should scrutinize any Claude Code repository carefully before cloning. Legitimate Anthropic repositories are hosted under official organizational accounts with verified badges. Fake repositories often exhibit telltale signs including recently created accounts, inflated star counts with minimal actual forks, and commit histories showing bulk uploads rather than iterative development.
Check repository URLs carefully—attackers use names like "claude-ai-official" or "anthropic-claude-code" that mimic legitimate sources but aren't affiliated with Anthropic. Review contributor profiles; established projects have maintainers with long GitHub histories and contributions to other legitimate projects.
System Compromise Indicators
If you've cloned suspicious repositories, immediately check for compromise indicators. Review installed packages and search for Claude Code versions prior to security patches. Audit environment variables for unauthorized modifications, particularly ANTHROPIC_BASE_URL or similar API configuration settings.
Examine your file system for directories containing special characters or command syntax in their names—these may indicate exploitation attempts for CVE-2026-25722. Monitor network traffic for unexpected outbound connections, especially to recently-registered domains or IP addresses in suspicious geographic locations.
Protection and Remediation
Immediate Response Steps
If you suspect compromise, take immediate action. First, disconnect the affected system from the network to prevent further data exfiltration. Rotate all credentials that may have been exposed, including API keys, passwords, SSH keys, and authentication tokens. Don't just change passwords—assume attackers have already harvested stored credentials from your browser and password managers.
Critical Warning: Stolen API keys can be used immediately. Contact Anthropic support to revoke compromised keys and review usage logs for unauthorized activity. Check billing statements for unexpected charges that may indicate fraudulent API usage.
Update Claude Code to the latest patched version immediately. Anthropic has released fixes addressing all three critical vulnerabilities. Run comprehensive malware scans using updated antivirus software, and consider using specialized infostealer detection tools that can identify Vidar malware artifacts.
Long-Term Security Practices
Implement repository verification as standard practice. Before cloning any repository, verify its authenticity through official documentation or trusted community sources. Enable GitHub's security features including Dependabot alerts and secret scanning to detect exposed credentials.
Use separate API keys for development and production environments, and implement key rotation policies. Monitor API usage patterns to quickly identify anomalous activity. Consider implementing network segmentation so compromised developer workstations can't access production systems directly.
Educate development teams about supply chain attacks and social engineering tactics. The trust developers place in GitHub and popular AI tools makes them attractive targets. Regular security awareness training helps teams recognize sophisticated scams before they become breaches.
Conclusion
The fake Claude AI repository campaign demonstrates how cybercriminals exploit emerging technologies and developer trust to execute large-scale attacks. By combining social engineering with legitimate platform vulnerabilities, attackers successfully compromised thousands of systems and stole sensitive data worth potentially millions of dollars.
This incident serves as a critical reminder that even trusted platforms like GitHub require vigilant security practices. As AI coding assistants become integral to development workflows, they also become attractive attack vectors. Developers must verify repository authenticity, maintain updated software, and implement defense-in-depth strategies to protect against evolving threats. The intersection of AI hype and cybercrime will only intensify—staying informed and skeptical remains your best defense.