Fake Claude Code sites spread malware through cloned install guides targeting developers

Phony Claude Code Install Guides Trick Vibe Coders Into Installing Malware

Would-be vibe coders looking to experiment with Claude Code are being targeted by malicious install guide websites that pop up in Google search results and install malware when executed. Dubbed InstallFix by Push Security, the scheme is a modification of the ClickFix social engineering scam. It inserts instructions to download malware during the Claude Code install process on cloned websites. The attack bypasses many standard malware protections because the user initiates it. Where that often requires the user to open a run dialogue box or perform a CAPTCHA check, InstallFix adds a dodgy URL to an install guide you already trust, making it easy to slip up. Adding an extra wrinkle is that InstallFix is showing up in Google results as sponsored links when searching for "Claude Code." Ideally, you'd avoid pasting URLs you find in guides (or anywhere), but it's not uncommon to see this when installing some tools online. Indeed, the legitimate Claude Code install site asks you to do just that (this is the real one, check the URL). It's this curl-to-bash command shown in the image below that causes so many problems when pasted into your terminal and actioned. As Push Security describes, the cloned sites look nearly identical to the real thing, with the same logos, layout, and functioning links. But if you check the instructions, you'll see the URLs for downloading files point to an attacker-controlled server that can download anything it likes, often without tripping your anti-malware software. As with many modern malware attacks, this one is multipronged as well. When you run the download command, it installs an executable that then downloads more malware from a remote URL. It appears to be related to the Amatera Stealer malware and primarily targets user data, grabbing passwords, cookies, and session tokens. It's also hard to delete. Although this particular campaign targets Claude Code, InstallFix scams are growing in number and are likely to proliferate further as AI tools attract users looking to vibe code for the first time. Be careful out there. Check the URLs of the sites you're visiting, and be extra wary when copying and pasting anything into a terminal from a website you don't know much about.

This Scam Impersonates the Official Claude Code Website to Spread Malware

If you use an AI-powered coding assistant like Claude Code, here's a good reason to always ensure you're copying commands from the legitimate interface: Scammers are now using cloned versions of popular tools to spread info-stealing malware through fake installation instructions -- a tactic known as InstallFix. Researchers at Push Security have identified carefully copied versions of Claude Code, Anthropic's command-line AI coding assistant, that look exactly like the real thing, complete with the layout, branding, text, documentation sidebar, and a lookalike domain. Every link on the page even redirects to the legitimate Claude Code site. The only malicious part is the one-line command to install Claude Code for macOS, Windows PowerShell, and Windows CMD. If you copy and paste this into terminal, it'll deliver malware instead. InstallFix is a variation ClickFix, a social engineering tactic that uses fake error messages, CAPTCHAs, and command prompts to get users to install malware on their own devices. A similar campaign recently utilized fake OpenClaw installers. The current Claude Code scheme targets both Windows and Mac users with an infostealer known as Amatera. This malware can harvest browser data -- saved passwords, cookies, session tokens, autofill data, even cryptocurrency wallets and credentials -- as well as system information. Attackers may be able to further avoid detection by hosting malicious sites on legitimate platforms like CloudFlare Pages and Squarespace. Push Security found that these fake install pages proliferated through malvertising -- specifically, sponsored results in Google when users searched terms like "Claude Code", "Claude Code install", or "Claude Code CLI." Be extra cautious when searching for coding tools or install instructions, and don't run commands copied from emails, forums, social media posts or messages, and websites unless you've independently verified their legitimacy. You can hide sponsored results in Google search (after you scroll past them), which is good practice so you don't accidentally click on a malicious ad. Consider bookmarking trusted sources you know you'll need to return to so you don't have to go through search. Finally, review both URLs and commands carefully. Threat actors will use tricks to make fake web addresses look legitimate at a glance, but upon closer inspection, you'll see that you're not on the real Claude Code site. You could also type commands in manually (again, only from verified sources) to ensure you're not copying and executing something hidden in the text.

Fake Claude Code Downloads Spread Malware, Target Developers

Fake Claude Code Installers Spread Infostealer Malware, Putting Developers and Code Credentials at Risk A new malware campaign is exploiting the popularity of Claude Code, targeting developers searching for AI coding tools online. Cybersecurity researchers warn that attackers have created fake download pages that distribute infostealer malware disguised as installers for the The campaign is an indication of an increasing trend whereby threat actors are using trending AI tools as a way of luring unsuspecting victims.