{ "type": "URL", "indicator": "https://rti.cargomanbd.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rti.cargomanbd.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4293580881, "indicator": "https://rti.cargomanbd.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69dcfb8e8ffc72d13aa8e7fe", "name": "Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub", "description": "Cybercriminals are exploiting the recent Claude Code leak incident by using it as a social engineering tactic to deliver malware through GitHub repositories. The attackers have created trojanized versions of the leaked Claude source code, distributing malicious payloads including Vidar stealer version 18.7 and GhostSocks trojan. The campaign demonstrates rapid opportunistic exploitation of high-profile security incidents, with compromised repositories serving as delivery mechanisms. Organizations are advised to implement Zero Trust architecture to mitigate risks from shadow AI instances and trojanized Claude agents. Multiple GitHub repositories have been identified hosting the malicious code, with command and control infrastructure established across multiple IP addresses and domains.", "modified": "2026-04-13T14:35:14.079000", "created": "2026-04-13T14:19:58.151000", "tags": [ "tradedownloader", "ghostsocks", "social engineering", "zero trust", "github delivery", "vidar", "vidar stealer", "trojanized repositories", "ai security", "claude code leak", "ghostsocks trojan" ], "references": [ "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "GhostSocks", "display_name": "GhostSocks", "target": null }, { "id": "TradeDownloader", "display_name": "TradeDownloader", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 3, "hostname": 1 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 377503, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-16T11:26:58.541000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "IPv4": 115, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 829, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddc1f7abfe233fa0f80558", "name": "Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub", "description": "", "modified": "2026-04-14T04:26:31.463000", "created": "2026-04-14T04:26:31.463000", "tags": [ "tradedownloader", "ghostsocks", "social engineering", "zero trust", "github delivery", "vidar", "vidar stealer", "trojanized repositories", "ai security", "claude code leak", "ghostsocks trojan" ], "references": [ "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "GhostSocks", "display_name": "GhostSocks", "target": null }, { "id": "TradeDownloader", "display_name": "TradeDownloader", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69dcfb8e8ffc72d13aa8e7fe", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 3, "hostname": 1 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d12a5400d76d886cdf06ea", "name": "Anthropic Claude Code Leak", "description": "In a significant security incident on March 31, 2026, Anthropic inadvertently exposed the complete source code of its AI coding agent, Claude Code, through a 59.8 MB JavaScript source map file included in the public npm package @anthropic-ai/claude-code version 2.1.88. The leak involved approximately 513,000 lines of unobfuscated TypeScript, providing threat actors and the public full access to the client-side agent's architecture. Following the disclosure by security researcher Chaofan Shou, the code spread rapidly, being downloaded and mirrored tens of thousands of times across various platforms, including GitHub.", "modified": "2026-04-04T15:12:19.962000", "created": "2026-04-04T15:12:19.962000", "tags": [ "claude code", "threatlabz", "github", "zip archive", "vidar", "ioc section", "readme file", "ghostsocks", "download zip", "button", "enterprise", "threat" ], "references": [ "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "CVE": 2, "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d113c05689fa926385fe59", "name": "Claude Code Leak Exploited to Spread Vidar and GhostSocks Malware", "description": "A massive source code leak of Anthropic\u2019s Claude Code has been exploited to spread Vidar and GhostSocks malware through fake GitHub repositories.", "modified": "2026-04-04T13:36:00.090000", "created": "2026-04-04T13:36:00.090000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 6, "URL": 3, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 487, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.April.pdf", "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Ghostsocks", "Tradedownloader", "Vidar" ], "industries": [], "unique_indicators": 20 }, "other": { "adversary": [ "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2" ], "malware_families": [ "Ghostsocks", "Tradedownloader", "Vidar" ], "industries": [], "unique_indicators": 833 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cargomanbd.com", "whois": "http://whois.domaintools.com/cargomanbd.com", "domain": "cargomanbd.com", "hostname": "rti.cargomanbd.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69dcfb8e8ffc72d13aa8e7fe", "name": "Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub", "description": "Cybercriminals are exploiting the recent Claude Code leak incident by using it as a social engineering tactic to deliver malware through GitHub repositories. The attackers have created trojanized versions of the leaked Claude source code, distributing malicious payloads including Vidar stealer version 18.7 and GhostSocks trojan. The campaign demonstrates rapid opportunistic exploitation of high-profile security incidents, with compromised repositories serving as delivery mechanisms. Organizations are advised to implement Zero Trust architecture to mitigate risks from shadow AI instances and trojanized Claude agents. Multiple GitHub repositories have been identified hosting the malicious code, with command and control infrastructure established across multiple IP addresses and domains.", "modified": "2026-04-13T14:35:14.079000", "created": "2026-04-13T14:19:58.151000", "tags": [ "tradedownloader", "ghostsocks", "social engineering", "zero trust", "github delivery", "vidar", "vidar stealer", "trojanized repositories", "ai security", "claude code leak", "ghostsocks trojan" ], "references": [ "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "GhostSocks", "display_name": "GhostSocks", "target": null }, { "id": "TradeDownloader", "display_name": "TradeDownloader", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 3, "hostname": 1 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 377503, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-16T11:26:58.541000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "IPv4": 115, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 829, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddc1f7abfe233fa0f80558", "name": "Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub", "description": "", "modified": "2026-04-14T04:26:31.463000", "created": "2026-04-14T04:26:31.463000", "tags": [ "tradedownloader", "ghostsocks", "social engineering", "zero trust", "github delivery", "vidar", "vidar stealer", "trojanized repositories", "ai security", "claude code leak", "ghostsocks trojan" ], "references": [ "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "GhostSocks", "display_name": "GhostSocks", "target": null }, { "id": "TradeDownloader", "display_name": "TradeDownloader", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69dcfb8e8ffc72d13aa8e7fe", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 3, "hostname": 1 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d12a5400d76d886cdf06ea", "name": "Anthropic Claude Code Leak", "description": "In a significant security incident on March 31, 2026, Anthropic inadvertently exposed the complete source code of its AI coding agent, Claude Code, through a 59.8 MB JavaScript source map file included in the public npm package @anthropic-ai/claude-code version 2.1.88. The leak involved approximately 513,000 lines of unobfuscated TypeScript, providing threat actors and the public full access to the client-side agent's architecture. Following the disclosure by security researcher Chaofan Shou, the code spread rapidly, being downloaded and mirrored tens of thousands of times across various platforms, including GitHub.", "modified": "2026-04-04T15:12:19.962000", "created": "2026-04-04T15:12:19.962000", "tags": [ "claude code", "threatlabz", "github", "zip archive", "vidar", "ioc section", "readme file", "ghostsocks", "download zip", "button", "enterprise", "threat" ], "references": [ "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "CVE": 2, "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d113c05689fa926385fe59", "name": "Claude Code Leak Exploited to Spread Vidar and GhostSocks Malware", "description": "A massive source code leak of Anthropic\u2019s Claude Code has been exploited to spread Vidar and GhostSocks malware through fake GitHub repositories.", "modified": "2026-04-04T13:36:00.090000", "created": "2026-04-04T13:36:00.090000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "FileHash-MD5": 6, "URL": 3, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 487, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rti.cargomanbd.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rti.cargomanbd.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776607094.983084 }