Malicious Imposters Target Developers with Fake Claude Code Installers

A sophisticated malware campaign is exploiting the popularity of Anthropic's Claude Code tool, security researchers warn. Fraudulent websites, designed to look like official Anthropic download pages, are tricking developers into installing trojanized versions of the command-line coding assistant on both Windows and macOS systems.

The fake sites replicate Anthropic's branding with high fidelity, using convincing domain names and HTTPS certificates. Developers searching to install the tool are presented with download buttons that deliver malicious binaries instead of the legitimate software. On Windows, the payload is an information stealer that collects credentials, browser data, and cryptocurrency details. The macOS version installs a persistent backdoor to exfiltrate sensitive information from the compromised machine.

This attack method is particularly effective because it targets a specific, motivated audience: developers actively seeking a productivity tool. Threat actors have reportedly used search engine advertisements to place these poisoned links above genuine results, increasing the likelihood of infection.

Anthropic distributes the real Claude Code tool exclusively through the npm package registry. The legitimate installation is performed via the command line with `npm install -g @anthropic-ai/claude-code`. Any website offering a direct `.exe` or `.dmg` download for Claude Code is fraudulent.

Security teams should treat this as an urgent issue. A compromised developer machine, often holding elevated access to code repositories and cloud credentials, can serve as a gateway into an organization's core infrastructure. Immediate steps include communicating the official npm installation path to all developers, blocking unsigned binaries from unverified sources, and monitoring for unusual network activity from development workstations.

This incident follows a pattern of similar scams targeting popular AI and developer tools. As these utilities become integral to modern software development, their rapid adoption creates exploitable confusion, a gap threat actors are increasingly adept at filling.

Source: Webpronews