Attackers are impersonating Anthropic’s Claude Code tool with convincing fake installation pages designed to deliver malware to both Windows and macOS users. It’s a supply chain–style attack that doesn’t target the actual supply chain — instead, it exploits the trust developers place in a popular AI coding assistant.
The threat was reported by TechRepublic, which detailed how security researchers discovered fraudulent websites mimicking official Anthropic download pages for Claude Code, the company’s command-line AI coding tool. The fake pages look legitimate. Disturbingly so. And they’re designed to trick developers into downloading trojanized installers that execute malicious payloads on their machines.
Here’s what happened. Claude Code, which Anthropic launched as a terminal-based agentic coding tool, has gained significant traction among software developers. That popularity made it an attractive target. Threat actors stood up lookalike domains with near-identical branding, copy, and download buttons — all pointing to malware-laced binaries rather than the real tool.
The malware targets both major desktop operating systems. On Windows, victims who download the fake installer get an executable that drops an infostealer capable of harvesting credentials, browser cookies, and cryptocurrency wallet data. The macOS variant follows a similar playbook, deploying a payload that establishes persistence and exfiltrates sensitive data from the compromised machine. Both versions attempt to blend in with legitimate system processes to avoid detection.
This isn’t a novel technique, but the execution is sharper than usual. The fake pages reportedly used HTTPS certificates and domain names close enough to Anthropic’s real infrastructure that a hurried developer — which is most developers — could easily be fooled. Social engineering at its most effective: meet people where they already are, doing what they already do, and slide something malicious into their workflow.
Security researcher reports circulating on X have corroborated the findings. Multiple posts flagged suspicious Claude Code download links being promoted through search engine ads and developer forums, a distribution method that has become increasingly common for this type of campaign. The attackers appear to be buying ad placements that surface above organic search results, so when a developer searches for “Claude Code download” or “install Claude Code,” the poisoned link shows up first.
Anthropic’s actual Claude Code tool is distributed through npm — not through direct binary downloads from a website. That’s a critical distinction. If you’re downloading an .exe or .dmg file from a website claiming to be the official Claude Code installer, something is wrong. The legitimate installation process involves running npm install -g @anthropic-ai/claude-code from the command line. No browser download required.
This attack vector has been gaining momentum across the AI tools space broadly. Similar campaigns have previously targeted users of other popular AI and developer tools, including fake pages for Ollama, Midjourney (which doesn’t even have a desktop app), and various open-source LLM projects. Threat actors have figured out that the rapid adoption curve for AI tools creates a window of confusion — new users aren’t always sure what the official distribution channel looks like, and that uncertainty is exploitable.
The implications for enterprise security teams are significant. Developers often have elevated privileges on their machines and access to source code repositories, CI/CD pipelines, API keys, and cloud credentials. A single compromised developer workstation can become a foothold into an organization’s entire software delivery infrastructure. And because these attacks target people actively seeking to install tools — not random phishing victims — the success rate can be disturbingly high.
So what should teams do? First, establish and communicate approved installation channels for AI development tools internally. Second, block or flag downloads of unsigned binaries from unverified domains. Third, monitor for anomalous outbound network connections from developer machines, which could indicate an active infostealer. And fourth, remind developers that legitimate CLI tools from major vendors almost never require downloading an installer from a webpage in 2025.
Anthropic has not yet issued a detailed public advisory about the campaign, though the company’s official documentation clearly specifies npm as the only supported installation method. That documentation is the single source of truth here.
The broader pattern is clear. As AI coding tools become standard parts of the developer toolkit, they’re also becoming standard targets for attackers. The trust developers extend to these tools — and the speed at which they adopt them — creates exactly the kind of gap threat actors love to exploit. Every new popular tool is a new opportunity for a convincing fake. And the fakes are getting better.
If you’re running a security team, this is the kind of threat that warrants an internal advisory today. Not next sprint. Today.
Fake Claude Code Installer Pages Are Spreading Malware on Windows and macOS first appeared on Web and IT News.