Cybercriminals are exploiting the recent Claude Code leak incident by using it as a social engineering tactic to deliver malware through GitHub repositories. The attackers have created trojanized versions of the leaked Claude source code, distributing malicious payloads including Vidar stealer version 18.7 and GhostSocks trojan. The campaign demonstrates rapid opportunistic exploitation of high-profile security incidents, with compromised repositories serving as delivery mechanisms. Organizations are advised to implement Zero Trust architecture to mitigate risks from shadow AI instances and trojanized Claude agents. Multiple GitHub repositories have been identified hosting the malicious code, with command and control infrastructure established across multiple IP addresses and domains.