Hackers Are Posting the Claude Code Leak With Bonus Malware

A WIRED investigation based on Department of Homeland Security records, revealed this week the identities of Border Patrol paramilitary agents who frequently used force against civilians during Operation Midway Blitz in Chicago last fall. According to WIRED, several of the agents have appeared in similar operations in other states across the United States.

Customs and Border Protection may want to consider protecting sensitive information at their facilities. Using basic Google searches, WIRED discovered flashcards created by users of the online learning platform Quizlet that contained access codes to CBP facilities and more.

In a rare move, Apple this week released “backported” patches for iOS 18 to protect the millions of people still using the old operating system from the DarkSword hacking technique that has been used in the wild. Discovered in March, DarkSword allows attackers to infect iPhones that simply visit a website containing the built-in hacking tools. Apple initially pushed users to update to the current version of its operating system, iOS 26, but eventually released iOS 18 patches after DarkSword continued to spread.

The US-Israel war with Iran entered its second month this week, with Iran threatening attacks on more than a dozen US companies, including tech giants like Apple, Google and Microsoft, which have offices and data centers in the Gulf region. The deadly conflict, with no clear end in sight, continues to wreak havoc on the global economy as ship crews remain stranded in the Strait of Hormuz, a key trade route. Meanwhile, some are beginning to wonder what might happen if U.S. strikes cause real damage to Iran’s nuclear facilities.

And that’s not all! Every week, we round up security and privacy news that we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Earlier this week, a security researcher reported that Anthropic had accidentally made the source code of its popular mood coding tool, Claude Code, public. Immediately, people started reposting the code on the GitHub development platform. But be wary if you want to try downloading some of these repositories yourself: BleepingComputer reports that some of the posters are actually hackers who inserted infostealer malware into the lines of code.

Anthropic, for its part, attempted to remove copies of the leak (malware-loaded or not) by posting copyright takedown notices. The Wall Street Journal reported that the company initially attempted to remove more than 8,000 repositories on GitHub, but later reduced that number to 96 copies and adaptations.

This isn’t the first time hackers have capitalized on interest in Claude Code, which forces users who may not be as familiar with their computer’s terminal to copy and paste installation commands from a website. In March, 404 Media reported that sponsored ads on Google led to sites pretending to be official Claude Code installation guides, which prompted users to run a command to download malware.

The FBI has officially classified a recent cyber intrusion into one of its surveillance systems as a “major incident” under FISMA – a legal designation reserved for breaches considered to pose serious risks to national security. The move, reported to Congress earlier this week, would be the first time since at least 2020 that the bureau has declared a major incident on its own systems. Politico, citing two unnamed senior Trump administration officials, reported that China was behind the intrusion. If confirmed, the breach could mark a significant counterintelligence failure for the FBI.

The FBI said it detected “suspicious activity” on its networks in February. In a notice to Congress on March 4, reviewed by Politico, the bureau said the compromised systems were unclassified and held “returns from legal proceedings,” citing, as examples, telephone and Internet metadata collected under court order and personal information “relating to the subjects of FBI investigations.” The intruders allegedly gained access through a commercial Internet service provider, an approach the FBI called a “sophisticated tactic.” In its only public statement, the office said it had deployed “all technical capabilities to respond.”