Security alert — malware repo typosquatting Claude Code: github.com/Enxs969/skiller hosting Trojan:Win64/Lazy.PGPK!MTB
A public GitHub repository is typosquatting Claude Code by name and shipping a Win64 trojan to anyone who clones, downloads, or runs the embedded zip.
Repo: https://github.com/Enxs969/skiller
Repo description (verbatim): "🌟 Manage and install Claude Code plugins and Agent Skills effortlessly with Skiller, a lightweight desktop menubar app for enhanced AI coding tools."
Malicious payload
- Path:
src/utils/Software-v3.5.zip - Direct raw URL:
https://raw.githubusercontent.com/Enxs969/skiller/main/src/utils/Software-v3.5.zip - Size on GitHub: 587,686 bytes
- Git blob SHA:
0bd716eebb5e30c2e2157ddcde579518ba3e53ff - Inside the zip:
luajit.exe, classified by Microsoft Defender as Trojan:Win64/Lazy.PGPK!MTB (Severity: Severe) - Defender engine
1.1.26030.3008, signatures1.449.296.0
Camouflage indicators
- Repo presents as a legitimate desktop menubar app for managing Claude Code plugins/skills.
- Real-looking source code: TypeScript (58.5%) + Rust (13.0%) + CSS (23.5%), 27 commits, README, CHANGELOG, CODE_OF_CONDUCT, package.json, vite.config.ts, signing-config.sh.
- The trojan binary sits inside
src/utils/next to a 922-byte plausibleterminal.ts. - Repo created
2023-11-27, last pushed2026-04-25T21:26Z— actively maintained as of the day before my detection. - Owner account: https://github.com/Enxs969 (single account, lone repo).
- 1 star, 0 forks at time of report (low traction but actively re-pushed).
My detection
- Time: 2026-04-26 06:26:30 +07:00 (Asia/Ho_Chi_Minh)
- Where: Windows 11 Pro, routine Microsoft Defender full scan
- The trojan was caught at the archive scan layer — never extracted, never executed
- Defender event log: Detection Origin
Local machine; Detection TypeFastPath; Detection SourceSystem
Local-vs-GitHub size mismatch: the file I had on disk was 147,087 bytes; the file currently on GitHub is 587,686 bytes (~4× larger). Suggests the attacker is iterating payloads and re-uploading.
Why this matters for the Claude Code community
- Claude Code is a developer tool; users typically run with admin/elevated context, with SSH keys, signed-in cloud creds, and source code on the same machine.
- A "skill manager" / "plugin installer" framing is a near-perfect lure for a developer searching for ways to extend Claude Code.
- A first-stage loader/dropper landing on a developer laptop is high-blast-radius.
- The same attack template can be replicated under any nearby username — heads up to anyone evaluating "Claude Code skill / plugin installer" repos.
Reporting status
- GitHub Trust & Safety abuse report filed (Malware or exploits category) against https://github.com/Enxs969/skiller and the owner account.
- Microsoft Defender sample auto-submitted via SubmitSamplesConsent.
Asks of the Claude Code maintainers
- Take public note of this typosquat pattern so users searching for plugin/skill installers don't land on it.
- Consider adding a "verified plugin sources" or "official skill registry" note in the docs so users know what is legitimate.
- (Optional) An automated check or doc page that lists known malicious typosquats targeting Claude Code by name.
Happy to share the full evidence package (Defender event log, Chrome download history fragment, GitHub API snapshots) if useful.
---
Reporting in good faith from the developer community. No affiliation with the malicious repo.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗