Fake Claude AI Sites Spread Malware Through Google Ads

Beware of fake Claude Code sites spreading malware via Google ads, targeting developers with near-perfect clones to steal credentials.

By Content Team

Mar 10, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Cybercriminals are targeting developers with fake Claude Code installation sites that spread through Google-sponsored search results. Push Security researchers discovered the "InstallFix" campaign, where attackers create near-perfect clones of Anthropic's legitimate installation pages.

When users copy installation commands from these fake sites, they unknowingly deploy Amatera Stealer malware that can steal credentials and access enterprise development environments. The attack exploits developers' common practice of copy-pasting terminal commands directly from websites.

The malicious ads appear above legitimate search results for terms like "Claude Code install," making them easy to mistake for official pages. Attackers use trusted hosting services like Cloudflare Pages to make their fake domains appear legitimate.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Salesforce Customers Hit by Third Major Attack Wave in Six Months

Mar 11, 2026

Critical 'MongoBleed' Bug Under Active Attack, Patch Now

Jan 6, 2026

Cisco Patches Critical Zero-Day Flaw Already Being Exploited in the Wild

Jan 24, 2026

State-Sponsored Hackers Increasingly Target Defense Workers Through Personal Attacks

Feb 11, 2026