Attackers Hijack Claude Code Install Pages

Push Security researchers warn attackers are cloning Anthropic’s Claude Code installation page and using paid Google Search ads to surface lookalike domains that swap legitimate install instructions for malicious commands. The fake pages redirect to Anthropic’s site but replace install one-liners to download Amatera Stealer on Windows and similar info‑stealers on macOS. Developers risk credential theft unless they verify URLs and avoid pasting unknown install commands.
Key Points
- 1Clone pages deliver malicious install instructions, redirecting users to attacker-controlled malware download domains.
- 2Malvertising via paid Google Search ads surfaces fake installs, bypassing email security and exploiting search intent.
- 3Developers must verify URLs and avoid pasting one-liner install commands to prevent credential-stealing malware.
Scoring Rationale
Credible Push Security finding with actionable mitigations, but limited novelty beyond a targeted malvertising campaign affecting developers.
Sources
Public references used for this report.
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems
