A new cyberattack campaign dubbed 'InstallFix' targets developers by spreading fake Claude Code installation pages through Google-sponsored search ads. Discovered by Push Security, the campaign uses near-identical clones of Anthropic's Claude Code install pages to trick users into copying and pasting malicious terminal commands that deploy the Amatera Stealer malware. The technique exploits the now-common developer habit of copy-pasting one-line install commands from websites into terminals. Attackers use legitimate hosting providers like Cloudflare Pages and Squarespace to appear trustworthy, and bypass email security by relying on paid search ads. Both experienced developers and non-technical vibe-coders are at risk, and users are advised to verify domain authenticity before executing any terminal commands from the web.
Sort: