Menace actors are exploiting a standard developer behavior — copying set up instructions straight from web sites — to distribute malware by way of pretend software program set up pages.
Safety researchers at Push Safety not too long ago uncovered a marketing campaign concentrating on customers of Anthropic’s Claude Code, a well-liked command-line AI coding assistant.
The attackers are utilizing cloned web sites and malicious search ads to trick victims into putting in information-stealing malware on Home windows and macOS techniques.
“Attackers are distributing nearly similar cloned websites of standard developer instruments like Claude Code with pretend set up directions by way of malicious search engine advertisements — tricking victims into putting in infostealer malware as an alternative,” the researchers wrote.
Contained in the InstallFix malware marketing campaign
The marketing campaign highlights a rising safety danger tied to the widespread use of straightforward terminal instructions to put in developer instruments.
Many fashionable utilities depend on one-line set up instructions — usually utilizing a “curl to bash” method — that routinely obtain and execute scripts from a distant server. Whereas this technique makes set up quick and handy, it additionally locations vital belief within the supply internet hosting the script.
If the command factors to a malicious server, the consumer might unknowingly execute dangerous code straight on their system. In keeping with Push Safety’s analysis on the marketing campaign, attackers are exploiting this workflow by cloning reliable set up pages and modifying the instructions offered to customers.
The cloned websites carefully replicate the official documentation pages for standard instruments, however the set up directions are altered to fetch malware as an alternative of the meant software program. This danger is amplified by the speedy adoption of AI-powered developer instruments akin to Claude Code.
As AI coding instruments increase past skilled builders to a broader viewers of much less technical customers, extra folks might comply with set up directions with out rigorously verifying the supply or reviewing the instructions they run.
How InstallFix assaults work
InstallFix assaults depend on a simple however efficient type of social engineering. Quite than counting on conventional phishing lures or pretend error messages, attackers merely impersonate the official set up web page for a well-liked device.
The cloned web site usually mirrors the reliable web page nearly completely, together with branding, format, navigation for documentation, and instance instructions. To a typical consumer, the web page seems genuine. The one significant distinction lies within the set up command itself.
As a substitute of downloading the reliable set up script from the official Claude Code area, the malicious command retrieves a payload from an attacker-controlled server.
If a consumer copies and pastes the command into their terminal — as many set up guides instruct — the malware executes instantly on the system.
Contained in the Claude Code malware payload
Within the marketing campaign concentrating on Claude Code, researchers noticed the malware launching by way of cmd(.)exe, which then spawns mshta(.)exe to retrieve and execute extra scripts from a distant malicious area.
This staged execution course of permits attackers to obtain extra payloads and set up persistence on the sufferer’s machine.
Search advertisements used to distribute malware
To drive victims to pretend set up pages, attackers rely closely on malvertising campaigns.
Sponsored search outcomes seem when customers search phrases akin to “Claude Code set up,” “Claude Code CLI,” or associated queries. As a result of sponsored hyperlinks usually seem above reliable search outcomes, customers might click on them rapidly with out carefully inspecting the URL.
The assault is especially efficient as a result of search engines like google and yahoo typically truncate or conceal parts of the area in commercial previews, making malicious domains seem extra reliable.
Malvertising additionally bypasses many conventional safety controls. As a substitute of receiving a suspicious e mail hyperlink, victims merely seek for a device they intend to put in and unknowingly land on the attacker’s web page. Researchers decided that the payload used within the marketing campaign matches signatures related to Amatera Stealer, a comparatively new information-stealing malware household that emerged publicly in 2025.
Amatera is designed to gather delicate information from contaminated techniques, together with browser-stored credentials, session cookies, authentication tokens, and different system info.
The malware makes use of evasion strategies akin to dynamic API decision and command-and-control communications routed by way of reliable content material supply community (CDN) infrastructure to bypass safety defenses. As a result of the visitors blends in with reliable companies, blocking it with out disrupting regular operations will be tough.
Malware marketing campaign hides on trusted infrastructure
One other notable side of the marketing campaign is using reliable internet hosting platforms to ship the malicious pages. Researchers noticed cloned set up websites hosted on companies akin to Cloudflare Pages, Squarespace, and Tencent EdgeOne.
By leveraging respected infrastructure suppliers, attackers can mix their exercise into regular internet visitors patterns, decreasing the chance that malicious pages are instantly flagged or taken down.
Decreasing danger from InstallFix assaults
As a result of these InstallFix-style assaults exploit frequent developer workflows — akin to copying set up instructions from web sites — defenses should give attention to each stopping malicious downloads and detecting suspicious command-line exercise.
- Keep away from clicking sponsored search outcomes when downloading developer instruments; as an alternative, entry set up directions straight from official vendor documentation.
- Confirm URLs and set up instructions earlier than executing them in a terminal, particularly when instructions use patterns like [curl | bash] that obtain and run distant scripts.
- Implement DNS filtering, safe internet gateways, or area popularity controls to dam entry to newly registered or suspicious domains utilized in malvertising campaigns.
- Deploy endpoint detection and response (EDR) instruments to observe command-line exercise, script execution, and suspicious course of chains related to staged malware infections.
- Implement allow-listing for trusted repositories and think about internet hosting inside mirrors of generally used developer instruments to make sure installations come from verified sources.
- Apply least privilege insurance policies and prohibit administrative entry on developer workstations to scale back the impression of malicious set up scripts.
- Frequently take a look at incident response plans and use assault simulation instruments round software program provide chain exploitation situations.
Collectively, these measures assist organizations construct resilience in opposition to developer-targeted malware campaigns whereas limiting the potential blast radius if a malicious set up command is executed.
Editor’s observe: This text initially appeared on our sister web site, eSecurityPlanet.
