Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A fake Claude Code installer campaign is using sponsored search results and operator-controlled domains to deliver an infostealer to developer workstations, putting browser credentials and payment data at risk. The lure pages imitate legitimate documentation while swapping the install command to an attacker domain, turning a normal install flow into malware delivery. The operation was tied to three domains registered in April 2026 and shows sustained, multi-step targeting rather than a one-off lure.

Related Happenings

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Open Happening

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

Fake Claude PlugX phishing campaign

Campaign
First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Open Happening

Timeline

  1. 11.05.2026 17:00 2 articles · 16d ago

    Fake Claude Code install pages deliver Chromium infostealer to developers

    Initial Disclosure

    Ontinue detailed a fake Claude Code installation-page campaign that used sponsored search results for "install claude code" to send developers to a lookalike page, swapped the legitimate Anthropic install host for an attacker-controlled domain, and launched a 600 KB obfuscated PowerShell loader that injected a 4608-byte native helper into Chromium-family browsers, recovered the App-Bound Encryption key, and exfiltrated cookies, passwords and payment data from developer workstations while a scheduled task maintained persistence and excluded hosts in Iran, Russia and other CIS members.

    Show sources
    Open in new tab