Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads

In late March 2026, Anthropic accidentally published an npm package (version 2.1.88) that included cli.js.map — a 59.8 MB source map exposing approximately 512,000 lines of internal TypeScript across 1,900 files, covering unreleased features such as a persistent autonomous daemon (KAIROS), a memory-consolidation system (Dream), and anti-distillation protections. Within 24 hours of the leak, threat actors pivoted an already-running AI-lure operation to create fake "leaked-claude-code" GitHub repositories surfacing in top Google results, hosting trojanized 7z archives (78–167 MB) via GitHub Releases to appear legitimate and evade automated scanning. Every archive across the campaign's 38 distinct lure variants delivered the same Rust-compiled dropper (TradeAI.exe), which implemented anti-sandbox environment enumeration, XOR string encryption with a 12-byte rotating key (defaulting to xnasff3wcedj), and deployed Vidar v18.7 using Steam Community and Telegram dead-drop C2 resolution alongside GhostSocks for residential proxy abuse. The campaign impersonated categories spanning AI tools (Claude Code, Copilot, WormGPT), cryptocurrency bots, creative media software, and general utilities to maximize victim demographics. Beyond the active campaign, the researchers noted longer-term risks from the leaked source code itself, including vulnerability discovery, prompt injection blueprinting, and agentic attack surface mapping by more sophisticated actors.