Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s Claude Code were promoted via Google Ads to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an InstallFix campaign (a variant of ClickFix) that ultimately deployed Amatera (an ACR Stealer-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., Squarespace, Cloudflare Pages, Tencent EdgeOne) to reduce suspicion.
In a related AI-tool impersonation theme, JFrog identified a malicious npm package, @openclaw-ai/openclawai, posing as an OpenClaw installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a postinstall hook to reinstall itself globally and registers a CLI via the bin field pointing to scripts/setup.js, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as GhostLoader) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a RAT with SOCKS5 proxy capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ThreatLabz finds fake Claude Code leak repo spreading Vidar and GhostSocks
ThreatLabz identified a malicious GitHub campaign that used a fake 'Claude Code leak' repository and release archives to lure users into downloading a Rust-based dropper, ClaudeCode_x64.exe. The malware deployed Vidar v18.7 and GhostSocks, and the actor also operated a second similar repository while benefiting from high Google search visibility for 'leaked Claude Code' queries.
InstallFix campaign found using legitimate hosting providers for stealth
The Amatera campaign was found to host malicious pages on legitimate infrastructure including Squarespace, Cloudflare Pages, and Tencent EdgeOne to improve stealth and resilience. The report also linked the activity to a broader pattern of fake developer-tool installers, noting recent OpenClaw-themed lures promoted through Bing AI search results.
Push Security reports fake Claude Code guides spreading Amatera
Push Security reported a new InstallFix campaign using fake Anthropic Claude Code installation pages promoted through Google Ads malvertising. The campaign targeted Windows and macOS users and delivered the Amatera infostealer, which steals browser credentials, cookies, session tokens, and system information.
GhostLoader second-stage malware capabilities are disclosed
Analysis revealed the package fetched an encrypted second-stage JavaScript payload from trackpipe[.]dev, identified internally as GhostLoader. The malware acted as a full-featured macOS infostealer and RAT with persistence, SOCKS5 proxying, command execution, browser session cloning, and exfiltration via its C2 server, Telegram Bot API, and GoFile.io.
Researchers identify malicious npm package posing as OpenClaw installer
Researchers reported that the npm package @openclaw-ai/openclawai impersonated an OpenClaw installer and used a postinstall hook to deploy a macOS-focused malware chain. The package reinstalled itself globally, displayed a fake CLI installer, and used a bogus iCloud Keychain prompt to trick victims into entering their system password.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Anthropic Claude Code Leak | ThreatLabz
zscaler.com
Open sourceAmatera infostealer deployed via phony Claude Code guides | brief | SC Media
scworld.com
Open sourceAI Coding Tools Under Fire: Mapping the Malvertising Campaigns Targeting the Vibe Coding Ecosystem
pillar.security
Open sourceMalicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake AI Agent Downloads Spread Mac Infostealers via Google Ads and Claude Chats
Attackers are targeting macOS users with fake AI tool downloads promoted through **Google Ads** and public **Claude.ai** shared chats. Victims searching for terms such as “Claude mac download” are shown sponsored results that appear to reference the legitimate `claude.ai` domain, but the links redirect to shared chats containing bogus installation instructions. The lures present themselves as official guidance for running Claude-related tools on Mac, sometimes even masquerading as Apple Support content, and tell users to paste commands into Terminal that instead fetch and execute malware. Researchers said the campaign is active and uses rotating malicious chat pages and infrastructure to evade disruption. Observed payloads include Mac-focused infostealers with behavior consistent with **AMOS** and **Amatera/MacSync-style** theft, including collection of browser credentials, cookies, and **Keychain** data. The activity reflects a broader trend of threat actors disguising malware as AI agents and developer tools to exploit demand for generative AI software on macOS systems.
Jun 4, 2026
Malicious and unsafe use of Anthropic Claude Code leading to malware delivery and destructive infrastructure changes
Push Security reported an **“InstallFix” malvertising campaign** targeting developers searching for Anthropic’s *Claude Code* CLI. Attackers clone the legitimate installation page on lookalike domains and buy **Google Search ads** so the fake pages rank highly for queries like “install Claude Code” and “Claude Code CLI.” While links on the page route to Anthropic’s real site, the **copy‑paste install one‑liners** are replaced with malicious commands that fetch malware from attacker-controlled infrastructure; the Windows flow was observed delivering the **Amatera Stealer**, with macOS users likely targeted by similar info-stealing malware. Separately, a reported operational incident highlighted the risk of delegating privileged infrastructure actions to AI agents without strong guardrails: a developer described using *Claude Code* to run **Terraform** changes during an AWS migration and, after a missing Terraform state file led to duplicate resources, subsequent cleanup actions resulted in the **deletion of production components**, including a database and recovery snapshots—wiping roughly **2.5 years of records**. Together, the reports underscore two distinct but compounding risks around AI coding agents: **supply-chain style social engineering** via fake install instructions and **high-impact misexecution** when AI-driven automation is allowed to operate with destructive permissions in production environments.
May 12, 2026
Malware campaigns abuse developer ecosystems via malicious npm packages and GitHub repositories
Security researchers reported multiple **software supply chain-style malware distribution** efforts abusing developer-adjacent platforms. JFrog detailed a malicious npm package, `@openclaw-ai/openclawai`, masquerading as an *OpenClaw* CLI installer; once executed, it uses a `postinstall` hook to reinstall globally and drop an obfuscated first-stage (`setup.js`) that deploys a multi-stage payload internally identified as **GhostLoader** (campaign tracked as **GhostClaw**). The malware is designed to persist and exfiltrate a broad set of sensitive data from developer workstations, including credentials (e.g., cloud config artifacts for **AWS/GCP/Azure**), macOS Keychain data, browser sessions, SSH keys, and cryptocurrency wallet/seed material. Separately, Trend Micro reported a large-scale distribution operation for the **BoryptGrab** information stealer via **100+ public GitHub repositories** that pose as legitimate tools and game cheats. The campaign uses SEO manipulation (keyword-stuffed READMEs and lookalike download pages) to drive victims from search results into redirect chains that ultimately deliver ZIP archives containing the stealer; some variants also deploy a PyInstaller backdoor (**TunnesshClient**) that establishes a reverse SSH tunnel for attacker communications. Reported indicators (e.g., Russian-language comments and related infrastructure) suggest a possible Russian nexus, and the observed targeting focuses on harvesting browser data, crypto wallets, system information, and user files.
Apr 2, 2026