Claude lure targets developer secrets

Cybercriminals are using fake Claude Code installation pages to push a PowerShell-based information stealer at developers, marking a sharper turn in attacks that exploit the rush to adopt AI coding tools.

The campaign impersonates Anthropic’s Claude Code, a command-line assistant used by software teams to write, review and debug code. Victims are drawn through sponsored search results or cloned documentation pages that resemble legitimate installation guides. Instead of installing the tool, the copied command launches a Windows infection chain built around PowerShell, mshta. exe and in-memory execution.

The latest variant is notable because it targets Chromium browser protections designed to stop routine cookie theft. Security analysis of the malware shows that it injects a small helper into a running browser process. That helper has one purpose: to invoke the browser’s IElevator2 COM interface, introduced with Chrome 144, and recover the App-Bound Encryption key used to protect sensitive browser data.

App-Bound Encryption was introduced in Chrome 127 on Windows to make it harder for malware running as the logged-in user to decrypt cookies and other stored secrets. The protection ties encrypted data to the legitimate browser application rather than allowing any process under the same user account to call Windows data protection functions. That shifted attackers towards noisier methods, including code injection, browser memory scraping and abuse of browser interfaces.

The fake Claude Code campaign shows how quickly that defensive gain is being contested. Once the App-Bound Encryption key is recovered, the stealer can move against browser-stored cookies, authentication tokens, passwords and profile data. For developers, that can expose far more than personal logins. Browser sessions often provide access to source-code repositories, cloud dashboards, internal documentation, issue trackers, package registries and corporate chat platforms.

The attack relies less on a software vulnerability than on a familiar developer habit: copying and running installation commands from a documentation page. Modern tools routinely ask users to paste one-line commands into PowerShell, Command Prompt, Terminal or shell environments. Attackers are exploiting that workflow by cloning trusted pages and replacing the genuine command with a malicious one.

Windows infections typically begin when the victim runs a command that invokes mshta. exe, a signed Microsoft utility capable of executing remote HTML Application content. That stage retrieves an obfuscated script, which then launches PowerShell components, disables or evades security scanning, builds a victim-specific identifier and contacts attacker-controlled infrastructure for further payloads. Some observed chains use polyglot files that look like application packages while hiding script content that mshta. exe can interpret.

The use of PowerShell gives the attackers flexibility. It allows staged execution, rapid payload changes, memory-only loading and command obfuscation. It also helps the malware avoid leaving conventional executable files on disk, limiting the evidence available to basic antivirus scans. Process chains involving a browser, mshta. exe, cmd. exe and PowerShell remain among the most important behavioural indicators for defenders.

The campaign fits a wider pattern of malware operators exploiting interest in AI developer tools. Fake Claude Code pages have been observed targeting both Windows and macOS users, with macOS variants using shell commands, encoded scripts and Mach-O payloads. Other campaigns have impersonated AI coding or automation tools through promoted search results, cloned landing pages and abused hosting platforms. The common objective is to reach technical users who hold high-value credentials.

Malvertising gives the operation added reach. Sponsored search placements can appear above legitimate documentation, and some search interfaces hide or truncate the full domain, making a malicious subdomain look more credible. Attackers have also used reputable hosting providers and compromised advertiser accounts to reduce suspicion.

For companies, the risk sits at the intersection of endpoint security, browser security and software supply-chain exposure. A single infected developer workstation can give attackers persistent access to repositories, build systems and cloud accounts. Stolen session cookies may bypass multi-factor authentication until the session is revoked or expires, while copied tokens can enable automated access long after the first compromise.