They were dialing up what they thought was open-source gold — the leaked Claude Code — and instead some users downloaded a digital pickpocket. Tens of thousands of downloads over the last week included files that, according to the reporting, carried credential-stealing malware alongside the purported source code.
What happened
According to the source material, leaked Claude Code source code circulated this week and was downloaded by tens of thousands of people. Some of those downloads were accompanied by credential-stealing malware rather than only source files.
Malware observed
The reporting identifies two specific pieces of malware present in trojanized downloads: Vidar stealer and GhostSocks. The source describes these as credential-stealing malware included with some of the leaked files.
Why this matters
- The downloads reached a large audience: the source states that tens of thousands of people downloaded the leaked material this week.
- Some of those downloads contained credential-stealing malware — the presence of Vidar stealer and GhostSocks is explicitly reported.
- Mixing leaked code with malware converts a curiosity or research opportunity into an active security risk for anyone who executed or inspected the files.
Questions and implications
The episode raises immediate questions: who trojanized the leaked files, how widely the malicious variants spread among those downloads, and which accounts or systems — if any — were compromised as a result. It also highlights the perennial tension between curiosity about leaked code and the practical risks of handling unverified downloads.
For users who encountered the leak, the published reporting points to a simple but urgent takeaway: downloads that appear to be leaked source code can be weaponized. That reality turns an information leak into a potential vector for credential theft.
How many of those tens of thousands will discover they invited a stealer in with their curiosity remains to be seen — and that uncertainty is the clearest danger of all.




