Security audit of modified Claude Code builds that emerged after the source map leak (2026-03-31, v2.1.88).
On March 31, 2026, the @anthropic-ai/claude-code npm package v2.1.88 accidentally included cli.js.map, exposing the full TypeScript source (~512K lines, 1,900 files). This spawned numerous forks, modified builds, and at least one malware distribution campaign.
This repository documents our security audit of the most prominent forks.
| Repository | Severity | Backdoor | Exfiltration | Cmd Injection | Verdict |
|---|---|---|---|---|---|
| paoloanzn/free-code | MEDIUM | None | None | None | Guardrails stripped only, no malice |
| leaked-claude-code/leaked-claude-code | CRITICAL | Suspected | TBD | TBD | Trojan distribution trap |
| beita6969/claude-code | LOW | None | None | None | Legitimate research fork |
| kennyzheng-builds/claude-yolo | LOW | None | None | None | --dangerously-skip-permissions wrapper |
| instructkr/claw-code | LOW | None | None | None | Clean Rust rewrite |
The leaked-claude-code/leaked-claude-code repository uses genuine leaked source code as bait, but distributes a pre-compiled Windows binary (ClaudeCode_x64.7z) via GitHub Releases. The source has no build system (no package.json, no tsconfig.json, no build scripts) — it exists purely to build credibility. The binary should be treated as presumed malware.
Confirmed details:
- Binary:
ClaudeCode_x64.7z(108 MB), SHA256:06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf - Downloads: 1,239+ (as of 2026-04-01)
- Published: 2026-03-31 12:54 UTC — within hours of the leak
- Attacker account:
idbzoomh1— created 2025-09-21, zero repos, zero followers (dormant account)
Red flags:
- No build system despite containing TypeScript source
.7zdistribution bypasses GitHub's automatic virus scanning- False claims: "Jailbreak mode", "Enterprise features", "browser fingerprint spoofing" — none implemented in source
- Disposable account with pre-prepared dormant profile
- Unrelated
.gitignore(Dynamics 365 Business Central template)
- Full Report (JP) — 総合レポート(日本語)
- Audit Methodology — Tools and approach
Reusable diff-based audit scripts for comparing any Claude Code fork against the official npm package:
# Fetch a target
./audit/scripts/fetch-target.sh <npm-package-or-url> <name>
# Run audit
./audit/scripts/audit.sh audit/targets/<name>/packageThe toolkit extracts only added/changed lines vs the official baseline, then scans for:
- External URLs / C2 endpoints
- Response manipulation (tool_use injection)
- Command injection / permission bypass
- Credential theft / data exfiltration
- Obfuscation / dynamic code execution
- Vendor binary tampering
Malicious Non-malicious
┌──────────────────┬──────────────────────────┐
Modified │ leaked-claude- │ free-code (guardrails │
│ code (trojan │ stripped) │
│ distribution) │ │
├──────────────────┼──────────────────────────┤
Unmodified│ │ beita6969 (build system) │
/ Minor │ │ claude-yolo (wrapper) │
│ │ claw-code (Rust rewrite) │
└──────────────────┴──────────────────────────┘
- Sandbox analysis of
ClaudeCode_x64.7z(VirusTotal / ANY.RUN) - GitHub abuse report for leaked-claude-code
- Audit
aashunaidu/claude-code-unlimited(OpenRouter key rotation) - Survey additional forks from the 41,500+ fork ecosystem
This research is conducted as whitehat security research. Findings regarding malware distribution will be reported to GitHub via abuse reports.
Ryuji Yasukochi — Security researcher, M2Labo CTO
