Threat actors exploited media coverage of an Anthropic Claude Code source leak to distribute Vidar infostealer and GhostSocks SOCKS5 proxy via SEO-poisoned fake GitHub repositories targeting developers; this is a social engineering and supply chain delivery campaign with no associated CVE. Organizations with developers active in AI tooling communities face credential theft risk affecting cloud environments, source code repositories, and corporate accounts from a single compromised developer workstation. Identify and isolate any endpoints that downloaded from fake Claude Code repositories in the April 2026 window, reimage confirmed-infected hosts, rotate all credentials accessible from those machines, and consult Zscaler threat intelligence for current IOC lists before ingesting into detection tooling.