Windows and Mac Users Targeted Through Fake Claude Code Installation Pages

A growing social engineering attack targets software developers and AI users by exploiting a widely trusted behavior: single-command software installations. Attackers mimic official documentation and download pages for tools like Claude Code, retaining all visual elements like logos, layouts, and 'copy' buttons, but altering the install command to point to a malicious domain. Because other links redirect to the legitimate vendor, the fake Claude Code installation page raises no suspicion.

This mechanism exploits the assumption that the domain providing the install command is trustworthy. Modern guides often recommend executing a line like curl https://example.com | bash in the terminal. While convenient, it grants code execution authority to that URL using the user's own administrative permissions. Tracked as InstallFix malware, this method closely mirrors ClickFix attacks. The user unknowingly compromises their own system without the attacker exploiting a traditional software vulnerability.

The attack chain begins with poisoned search engine ads. Users searching for "Claude Code install" or "Claude Code CLI" click a promoted ad leading to an exact replica of the documentation. This tactic is highly effective; following installation instructions to the letter is standard practice, making the threat of malicious remote execution scripts easy to overlook.

The primary payload is the Amatera infostealer, designed to harvest browser data, including stored passwords, cookies, active session tokens, and autofill profiles. The impact extends beyond simple credential theft. Stolen session tokens enable session hijacking, allowing attackers to bypass authentication and access cloud interfaces or internal admin panels. Variants also target cryptocurrency wallets and high-value enterprise accounts.

The Target: Windows and Mac

Researchers identified this campaign targeting both Windows and macOS systems.

On macOS systems, the malicious one-liner downloads a secondary script from an attacker-controlled domain. This script is often Base64-encoded to evade detection. It then downloads, modifies, and executes a malicious binary, establishing a foothold for macOS malware.

On Windows, the command spawns cmd.exe, which runs mshta.exe and passes a remote URL as a parameter. This allows the Windows malware to execute through a trusted Microsoft application, bypassing standard suspicion. In both cases, the terminal closes normally, leaving the malware running silently in the background.

Steps to stay safe

As ClickFix and InstallFix attacks spread, awareness and proactive cybersecurity best practices are your best defense.

• Slow down: Don't blindly follow webpage instructions. Question terminal commands and understand the code before executing it.
• Avoid untrusted sources: Never run scripts from unverified websites or messages. Cross-check commands with official vendor documentation.
• Limit copy-paste reliance: Manually inspect or type terminal commands rather than pasting directly from a webpage to avoid hidden malicious payloads.
• Secure your devices: Deploy real-time endpoint protection (EDR) or anti-malware with robust web protection modules.
• Verify Your Posture: Threat actors continuously evolve their tactics to bypass standard endpoint defenses. A proactive approach is mandatory.

At SaltedHash Tech, we specialize in identifying vulnerabilities before they are weaponized. From advanced penetration testing to building resilient security architectures, we ensure your operational scale is protected against modern social engineering and credential theft.