Developers searching for Claude Code installation guidance are being targeted by fake websites that distribute credential-stealing malware, widening a campaign aimed at people who use AI coding tools in corporate and independent software environments.The fraudulent sites imitate legitimate documentation pages and installation portals for Claude Code and related developer platforms. Their main lure is a familiar software-install routine: copy a command, paste it into a terminal, and run it. Hidden inside those commands are additional instructions that execute malware while allowing part of the expected installation process to continue, reducing the chance that victims notice the compromise immediately.
Security teams have identified more than 88 fake domains linked to the operation, with infrastructure rotating across hosted platforms to withstand takedowns. The campaign has been active since March 2026 and has targeted users of Claude Code, Cline, JetBrains, Snowflake, Perplexity Comet and other tools used in software engineering, data work and AI-assisted development.
The attackers are using search engine manipulation, redirect chains and paid advertisements to place malicious pages above legitimate documentation in search results. That approach is especially dangerous in developer communities, where command-line installation is common and users often rely on online guides, code snippets and community documentation to adopt new tools quickly.
Claude Code, Anthropic’s terminal-based AI coding assistant, has become a high-value brand for attackers because it is associated with direct access to development environments. A compromised workstation may contain source code, cloud tokens, API keys, package registry credentials, browser sessions, password manager data, VPN credentials, cryptocurrency wallets and internal project files.
The latest campaign is built around multi-stage malware delivery. Observed techniques include malicious DLL loading through rundll32. exe, abuse of mshta. exe, Base64-encoded commands, JavaScript-based payloads and scripts hosted on GitHub. These methods allow attackers to vary their execution path and make detection harder for endpoint tools that depend heavily on known file signatures.
The primary payload identified in the installer campaign is ACRStealer, an information-stealing malware family designed to harvest credentials and sensitive files. It uses encrypted command-and-control communication, fileless execution techniques and anti-analysis features. Some variants also include cryptocurrency clipboard hijacking, replacing copied wallet addresses with attacker-controlled addresses during transactions.
The threat comes amid a broader wave of malware campaigns exploiting interest in AI coding platforms. Earlier this year, fake Claude-themed GitHub repositories were used to distribute Vidar infostealer and GhostSocks proxy malware to users looking for leaked Claude Code material. Another fake Claude AI website promoted a supposed Claude-Pro Relay download that installed a backdoor on Windows systems, giving attackers remote command execution capabilities.
The chronology shows a shift from simple impersonation to a more mature attack model. First, attackers used fake repositories and leaked-code bait to catch curiosity-driven users. They then moved into polished installation pages and paid search placement. The current pattern suggests a professionalised operation that treats AI developer tools as a repeatable route into high-value machines.
Developers are attractive targets because their systems often contain long-lived secrets. API tokens may allow access to cloud services, AI platforms, databases, code repositories and billing accounts. Where multi-factor authentication protects user logins, exposed tokens may still provide attackers with a way to bypass normal sign-in checks. A single stolen key can lead to unauthorised compute use, data theft, supply-chain compromise or lateral movement inside an organisation.
The risk is not limited to large technology companies. Smaller software teams, contractors, security researchers, students and independent builders are also exposed because they may install AI tools outside managed device policies. The rise of AI-assisted programming has increased the speed at which developers adopt new command-line utilities, extensions and integrations, creating an opening for attackers who can mimic the language and appearance of legitimate tooling.
Organisations are being urged to treat developer workstations as high-risk assets rather than ordinary endpoints. Practical steps include forcing installation through approved package managers, blocking newly registered suspicious domains, restricting script execution, monitoring unusual child processes from terminals and code editors, and scanning repositories and local machines for exposed secrets.
Security teams should also monitor for process chains involving code editors launching PowerShell, mshta. exe or osascript, especially after a user has copied installation commands from the web. Outbound traffic to unfamiliar infrastructure, unexpected Defender exclusions, archive files staged in temporary directories and rapid access to browser credential stores are further warning signs.
Topics
Technology