Users looking for Anthropic’s Claude Code agentic AI coding tool are being tricked via fake Claude Code install pages into running malware, Push Security researchers have warned.
The attackers behind this scheme are faithfully cloning Anthropic’s installation page, hosting it on a lookalike domain, and paying Google to surface those fake pages on the top of its results when users ask how to “install Claude Code”, “Claude Code CLI”, or simply “Claude Code”.
All links on these fake pages redirect to the legitimate Anthropic site, but the installation instructions have been swapped with malicious ones that trigger the retrieval of malware from a domain owned by the attackers.
The cloned page with the malicious install instructions (Source: Push Security)
“Unless you’re carefully reading the URL embedded in the install one-liner (and let’s be honest, almost nobody does these days), the page is indistinguishable from the real one,” the researchers noted.
The fake instructions for Windows users download the Amatera Stealer, and those for macOS users likely similar info-stealing malware that works on that operating system.
Turning ads and install instructions against users
Malicious online ads have become one of the most effective ways to trick users into installing malware or entertain a scammy offer.
“Malvertising via Google Search is an effective delivery vector because it bypasses email-based security controls entirely. There’s no phishing email to flag, no suspicious link in a message. The user initiates the interaction themselves by searching for something they genuinely intend to install. This is one of the reasons that attackers are doubling down on targeting ad manager accounts to be able to hijack existing ad budgets and spin up even more malicious ads,” Push Security explained.
Add to this the fact that pasting a command from a website straight into your terminal has slowly became the default way to install developer tools, and we have a recipe for disaster.
Inspired by the widely adopted “ClickFix” moniker, the researchers coined the term “InstallFix” for this social engineering tactic.
“All you need to make this attack work is a popular tool you can impersonate. Naturally, this makes trendy AI tools a popular choice,” the researchers added.
“But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
