In the evolving landscape of AI-powered coding tools, users of Claude Code must remain vigilant. Recent findings reveal that scammers are deploying cloned versions of popular applications to disseminate information-stealing malware via counterfeit installation instructions, a method referred to as InstallFix.
Counterfeit Claude Code Interfaces Target Users
Researchers from Push Security have uncovered meticulously crafted replicas of Claude Code, the command-line AI coding assistant developed by Anthropic. These fraudulent sites mimic the authentic interface down to the layout, branding, and documentation, even utilizing a similar domain. However, the sole malicious aspect lies in a one-line command intended for installing Claude Code on macOS, Windows PowerShell, and Windows CMD. Executing this command unwittingly installs malware instead of the intended software.
InstallFix, a variation of ClickFix, employs social engineering tactics, leveraging fake error messages and prompts to trick users into installing malware. A recent campaign has similarly exploited fake OpenClaw installers.
Tips to Safeguard Against InstallFix Attacks
The current Claude Code scam targets both Windows and Mac users with an information-stealing malware known as Amatera. This malicious software can extract sensitive data from browsers, including saved passwords, cookies, session tokens, and even cryptocurrency wallet information. Attackers have become increasingly adept at evading detection by hosting these harmful sites on reputable platforms like CloudFlare Pages and Squarespace.
Push Security's research indicates that these deceptive installation pages proliferate through malvertising, particularly appearing as sponsored results on Google searches for terms like "Claude Code" or "Claude Code install." Users are urged to exercise caution when searching for coding tools or installation guides. Avoid executing commands copied from unverified emails, forums, or social media unless their authenticity has been confirmed.
To enhance security, consider hiding sponsored results in Google searches to minimize the risk of clicking on malicious advertisements. Bookmarking trusted sources can also streamline your access to verified information, reducing the need for potentially risky searches.
Finally, meticulous scrutiny of URLs and commands is essential. Scammers often employ deceptive tactics to make fraudulent web addresses appear legitimate. Always verify that you are on the genuine Claude Code site, and for added security, manually input commands from trusted sources instead of copying them.
As the digital landscape continues to evolve, these developments highlight the importance of cybersecurity awareness. By staying informed and cautious, users can protect themselves from emerging threats in the tech world.