Technology
Science
Discovery
Cultures & People
Animals & Nature
Life & Self
Pop Culture
Food & Drinks
Travel
Smart Shopping
Home & Outdoors
Ask & Share
If you use an AI-powered coding assistant like Claude Code, here's a good reason to always ensure you're copying commands from the legitimate interface: Scammers are now using cloned versions of popular tools to spread info-stealing malware through fake installation instructions—a tactic known as InstallFix.
Researchers at Push Security have identified carefully copied versions of Claude Code, Anthropic's command-line AI coding assistant, that look exactly like the real thing, complete with the layout, branding, text, documentation sidebar, and a lookalike domain. Every link on the page even redirects to the legitimate Claude Code site. The only malicious part is the one-line command to install Claude Code for macOS, Windows PowerShell, and Windows CMD. If you copy and paste this into terminal, it'll deliver malware instead.
InstallFix is a variation ClickFix, a social engineering tactic that uses fake error messages, CAPTCHAs, and command prompts to get users to install malware on their own devices. A similar campaign recently utilized fake OpenClaw installers.
The current Claude Code scheme targets both Windows and Mac users with an infostealer known as Amatera. This malware can harvest browser data—saved passwords, cookies, session tokens, autofill data, even cryptocurrency wallets and credentials—as well as system information. Attackers may be able to further avoid detection by hosting malicious sites on legitimate platforms like CloudFlare Pages and Squarespace.
Push Security found that these fake install pages proliferated through malvertising—specifically, sponsored results in Google when users searched terms like "Claude Code", "Claude Code install", or "Claude Code CLI." Be extra cautious when searching for coding tools or install instructions, and don't run commands copied from emails, forums, social media posts or messages, and websites unless you've independently verified their legitimacy.
You can hide sponsored results in Google search (after you scroll past them), which is good practice so you don't accidentally click on a malicious ad. Consider bookmarking trusted sources you know you'll need to return to so you don't have to go through search.
Finally, review both URLs and commands carefully. Threat actors will use tricks to make fake web addresses look legitimate at a glance, but upon closer inspection, you'll see that you're not on the real Claude Code site. You could also type commands in manually (again, only from verified sources) to ensure you're not copying and executing something hidden in the text.
Continue reading...
Fake Claude Code interface used for InstallFix attacks
Researchers at Push Security have identified carefully copied versions of Claude Code, Anthropic's command-line AI coding assistant, that look exactly like the real thing, complete with the layout, branding, text, documentation sidebar, and a lookalike domain. Every link on the page even redirects to the legitimate Claude Code site. The only malicious part is the one-line command to install Claude Code for macOS, Windows PowerShell, and Windows CMD. If you copy and paste this into terminal, it'll deliver malware instead.
InstallFix is a variation ClickFix, a social engineering tactic that uses fake error messages, CAPTCHAs, and command prompts to get users to install malware on their own devices. A similar campaign recently utilized fake OpenClaw installers.
The current Claude Code scheme targets both Windows and Mac users with an infostealer known as Amatera. This malware can harvest browser data—saved passwords, cookies, session tokens, autofill data, even cryptocurrency wallets and credentials—as well as system information. Attackers may be able to further avoid detection by hosting malicious sites on legitimate platforms like CloudFlare Pages and Squarespace.
How to avoid InstallFix attacks
Push Security found that these fake install pages proliferated through malvertising—specifically, sponsored results in Google when users searched terms like "Claude Code", "Claude Code install", or "Claude Code CLI." Be extra cautious when searching for coding tools or install instructions, and don't run commands copied from emails, forums, social media posts or messages, and websites unless you've independently verified their legitimacy.
You can hide sponsored results in Google search (after you scroll past them), which is good practice so you don't accidentally click on a malicious ad. Consider bookmarking trusted sources you know you'll need to return to so you don't have to go through search.
Finally, review both URLs and commands carefully. Threat actors will use tricks to make fake web addresses look legitimate at a glance, but upon closer inspection, you'll see that you're not on the real Claude Code site. You could also type commands in manually (again, only from verified sources) to ensure you're not copying and executing something hidden in the text.
Continue reading...
