Anthropic Scrambles to Remove Malware-Infused Claude Code Leak from GitHub
Key Points
- Anthropic accidentally published Claude Code source code, triggering a flood of GitHub reposts.
- Many reposts contain hidden infostealer malware designed to steal credentials.
- The company filed copyright takedown notices, reducing repositories from >8,000 to 96.
- Earlier in March, fake installation guides also delivered malware via Google ads.
- Experts warn developers to avoid unofficial copies until the threat is fully mitigated.
Anthropic unintentionally exposed the source code for its Claude Code tool, prompting a flood of GitHub reposts. Security researchers discovered that many of the copies include hidden infostealer malware, turning a simple code leak into a broader threat. The company has issued copyright takedown notices, trimming the number of repositories from over 8,000 to under 100. The episode follows earlier attempts to lure users with fake installation guides that also delivered malicious payloads.
Anthropic’s Claude Code, a popular tool for developers, was accidentally published online last month, exposing its source code to the public. Within days, thousands of GitHub repositories sprang up, each mirroring the leaked files. Security researchers quickly flagged a troubling pattern: a significant number of these reposts contained hidden infostealer malware embedded directly in the code.
Investigations by BleepingComputer revealed that the malicious additions were not accidental. The researchers traced the modifications to actors who appear to be leveraging the high visibility of the leak to spread malware to unsuspecting users who might clone or download the repositories. The malicious code is designed to siphon credentials and other sensitive data from any system on which it is inadvertently executed.
In response, Anthropic launched an aggressive takedown campaign. The Wall Street Journal reported that the company initially targeted more than 8,000 repositories with copyright infringement notices. After weeks of back-and-forth with GitHub’s moderation team, the effort was narrowed to 96 copies and adaptations that remain online. Anthropic’s legal team cited intellectual‑property violations as the basis for removal, even though the primary concern is the embedded malware.
This is not the first time Claude Code has been weaponized. In March, 404 Media documented a series of sponsored Google ads that directed users to counterfeit installation guides. Those pages prompted visitors to run a command that downloaded a separate malware payload, effectively turning a routine install into a security breach. The new wave of malicious reposts amplifies that risk by embedding the threat directly into the source files.
Cybersecurity experts warn that developers who clone any of the leaked repositories without verifying their integrity could inadvertently compromise their own environments. The infostealer code is capable of harvesting passwords, API keys, and other credentials, potentially giving attackers footholds in corporate networks or personal devices.
Anthropic’s spokesperson declined to comment on the specifics of the malware but reaffirmed the company’s commitment to “protecting our users and partners.” The firm also urged developers to avoid downloading the code from unofficial sources until the situation is fully resolved.
GitHub has not disclosed the exact criteria it used to retain the remaining 96 repositories, but the platform’s policy generally allows content that does not violate copyright or contain malicious code. The persistence of these copies underscores the challenge of fully eradicating malicious code once it spreads across a public code‑hosting service.
Security analysts say the incident highlights a broader trend: accidental leaks of proprietary code can quickly become vectors for malware distribution, especially when attackers act swiftly to piggyback on the attention such leaks generate. Organizations are advised to monitor public repositories for unauthorized copies of their software and to act decisively when threats emerge.