Hackers spread Claude Code leak and hide malware in archives

The Claude Code data leak has become a tool in the hands of cybercriminals: hackers are mass-distributing archives that allegedly contain leaked files from Anthropic, but along with them victims receive hidden malware. The attack targets users looking for access to prohibited materials and willing to take risks for it. The scheme operates on the classic principle of digital bait.

Archives with names hinting at exclusive content — leaks from Anthropic, internal Claude Code data, company product source code — are distributed through forums, Telegram channels, Discord servers, and torrents. Inside, alongside real or fabricated files, an infostealer or loader for additional malware is hidden. Upon execution, the malware collects data from browsers, crypto wallets, and messengers — anything that can be used to steal accounts or monetized on the dark market.

The attack exploits not only user curiosity but also their desire to bypass restrictions. People searching for leaked data about commercial AI products often neglect standard safety measures: they don't verify the source, don't run files in an isolated environment, don't analyze content before opening. This makes them a particularly vulnerable audience.

Researchers note that such schemes intensify every time a high-profile leak appears in the public space — whether real or fake. But hacker attacks this week weren't limited to Claude Code. The FBI warned of a serious national security threat: criminals hacked tools for legal phone surveillance — so-called wiretap systems.

These systems are used by US intelligence and law enforcement agencies to conduct authorized investigations. Access to them opens the possibility of both obtaining secret data about ongoing operations and identifying classified sources. The FBI didn't disclose breach details but emphasized that the threat is systemic in nature.

Simultaneously, news emerged of a Cisco breach as part of a large-scale campaign targeting supply chains. Criminals stole fragments of the company's source code. This represents significant value: source code allows searching for zero-day vulnerabilities that can then be exploited in targeted attacks on corporate infrastructure worldwide.

Supply chain attacks remain one of the most dangerous trends in cybersecurity: a single compromised vendor opens the door to thousands of organizations that trust its products. All three incidents share a common pattern: attackers exploit trust — in brands, in legitimate tools, in partnership chains. When a user downloads an archive with a leak, they trust their curiosity.

When a wiretap system receives a request, it trusts authorization. When a corporation uses vendor software, it trusts the supply chain. Attackers methodically find and exploit each of these links.

For the average user, the conclusion is clear: any archives with exclusive or leaked content from unofficial sources should be considered potentially malicious — regardless of how convincing the description looks. Infostealers hidden in such archives compromise not only one device but all services whose passwords are stored in the browser. If something looks like forbidden exclusive content — it's probably a trap.