Malicious and unsafe use of Anthropic Claude Code leading to malware delivery and destructive infrastructure changes
Push Security reported an “InstallFix” malvertising campaign targeting developers searching for Anthropic’s Claude Code CLI. Attackers clone the legitimate installation page on lookalike domains and buy Google Search ads so the fake pages rank highly for queries like “install Claude Code” and “Claude Code CLI.” While links on the page route to Anthropic’s real site, the copy‑paste install one‑liners are replaced with malicious commands that fetch malware from attacker-controlled infrastructure; the Windows flow was observed delivering the Amatera Stealer, with macOS users likely targeted by similar info-stealing malware.
Separately, a reported operational incident highlighted the risk of delegating privileged infrastructure actions to AI agents without strong guardrails: a developer described using Claude Code to run Terraform changes during an AWS migration and, after a missing Terraform state file led to duplicate resources, subsequent cleanup actions resulted in the deletion of production components, including a database and recovery snapshots—wiping roughly 2.5 years of records. Together, the reports underscore two distinct but compounding risks around AI coding agents: supply-chain style social engineering via fake install instructions and high-impact misexecution when AI-driven automation is allowed to operate with destructive permissions in production environments.
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
1 weeks ago
Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in **Anthropic’s Claude Code** AI coding assistant that could enable **arbitrary command execution** and **exfiltration of Anthropic API credentials** when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly **project hooks** (e.g., untrusted `.claude/settings.json`), **Model Context Protocol (MCP) servers**, and **environment variables**—to trigger shell command execution and data theft. Anthropic’s advisory for **CVE-2026-21852** describes a project-load flow where a crafted repo can set `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint, causing Claude Code to send API requests **before** the trust prompt is shown, potentially leaking the user’s API key. The disclosed issues include two high-severity code-injection paths (CVSS **8.7**) and one information-disclosure flaw (CVSS **5.3**): a consent-bypass/hook-based injection issue fixed in *Claude Code* **1.0.87** (Sept 2025), **CVE-2025-59536** fixed in **1.0.111** (Oct 2025), and **CVE-2026-21852** fixed in **2.0.65** (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to **RCE** and **credential leakage**, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
2 weeks ago
InstallFix malvertising campaign spreads fake Claude Code installers to deliver Amatera Stealer
Push Security reported a new **ClickFix-style** social-engineering campaign dubbed **InstallFix** that uses **Google-sponsored search ads** to drive developers to near-identical cloned “install” pages for *Anthropic Claude Code* and similar AI coding tools. Victims are prompted to copy/paste terminal commands from the fake pages; executing them installs **Amatera Stealer**, enabling credential theft and potential access to enterprise development environments. Separate reporting highlighted adjacent browser-based tradecraft: a previously legitimate Chrome extension (*QuickLens – Search Screen with Google Lens*) with roughly **7,000 users** was updated to deploy **ClickFix** attacks, strip web security headers, and steal cryptocurrency wallet seed phrases before being removed from the Chrome Web Store. A weekly threat bulletin also noted unrelated incidents (e.g., ransomware and data breaches) and separate AI-themed malicious extensions that harvest LLM chat histories, but those items are not part of the InstallFix/Claude Code malvertising campaign itself.
1 weeks ago