Just in:
Copilot workflow bypass exposes critical safety gap // Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Dubai weighs turning organic waste into aviation fuel // Iran widens energy threat as Hormuz battle escalates // Paymentology and T2P partner to accelerate the future of card issuing in Thailand // Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // EU prosecutors examine subsidies linked to Babiš // Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // Fynd brings AI fashion platform to Gulf // First Energy Africa Oil Corp. Strengthens Board with Appointment of Industry Veterans Simon Akit and Frederick Kozak // AI tools sharpen cybercrime as quishing surges // Dubai-Botswana pact opens new commodity trade corridor // Rival cyber spies penetrate Pakistan police networks // US missiles disable tanker bound for Iran // Gadkari’s Ethanol Defence Is Losing The Public Argument // De Beers halts Venetia output amid diamond slump // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // Guardian Fire expands Midwest reach with Nebraska deal //

Claude lure targets developer secrets

Cybercriminals are using fake Claude Code installation pages to push a PowerShell-based information stealer at developers, marking a sharper turn in attacks that exploit the rush to adopt AI coding tools.

The campaign impersonates Anthropic’s Claude Code, a command-line assistant used by software teams to write, review and debug code. Victims are drawn through sponsored search results or cloned documentation pages that resemble legitimate installation guides. Instead of installing the tool, the copied command launches a Windows infection chain built around PowerShell, mshta. exe and in-memory execution.

ADVERTISEMENT

The latest variant is notable because it targets Chromium browser protections designed to stop routine cookie theft. Security analysis of the malware shows that it injects a small helper into a running browser process. That helper has one purpose: to invoke the browser’s IElevator2 COM interface, introduced with Chrome 144, and recover the App-Bound Encryption key used to protect sensitive browser data.

App-Bound Encryption was introduced in Chrome 127 on Windows to make it harder for malware running as the logged-in user to decrypt cookies and other stored secrets. The protection ties encrypted data to the legitimate browser application rather than allowing any process under the same user account to call Windows data protection functions. That shifted attackers towards noisier methods, including code injection, browser memory scraping and abuse of browser interfaces.

The fake Claude Code campaign shows how quickly that defensive gain is being contested. Once the App-Bound Encryption key is recovered, the stealer can move against browser-stored cookies, authentication tokens, passwords and profile data. For developers, that can expose far more than personal logins. Browser sessions often provide access to source-code repositories, cloud dashboards, internal documentation, issue trackers, package registries and corporate chat platforms.

The attack relies less on a software vulnerability than on a familiar developer habit: copying and running installation commands from a documentation page. Modern tools routinely ask users to paste one-line commands into PowerShell, Command Prompt, Terminal or shell environments. Attackers are exploiting that workflow by cloning trusted pages and replacing the genuine command with a malicious one.

Windows infections typically begin when the victim runs a command that invokes mshta. exe, a signed Microsoft utility capable of executing remote HTML Application content. That stage retrieves an obfuscated script, which then launches PowerShell components, disables or evades security scanning, builds a victim-specific identifier and contacts attacker-controlled infrastructure for further payloads. Some observed chains use polyglot files that look like application packages while hiding script content that mshta. exe can interpret.

The use of PowerShell gives the attackers flexibility. It allows staged execution, rapid payload changes, memory-only loading and command obfuscation. It also helps the malware avoid leaving conventional executable files on disk, limiting the evidence available to basic antivirus scans. Process chains involving a browser, mshta. exe, cmd. exe and PowerShell remain among the most important behavioural indicators for defenders.

The campaign fits a wider pattern of malware operators exploiting interest in AI developer tools. Fake Claude Code pages have been observed targeting both Windows and macOS users, with macOS variants using shell commands, encoded scripts and Mach-O payloads. Other campaigns have impersonated AI coding or automation tools through promoted search results, cloned landing pages and abused hosting platforms. The common objective is to reach technical users who hold high-value credentials.

Malvertising gives the operation added reach. Sponsored search placements can appear above legitimate documentation, and some search interfaces hide or truncate the full domain, making a malicious subdomain look more credible. Attackers have also used reputable hosting providers and compromised advertiser accounts to reduce suspicion.

For companies, the risk sits at the intersection of endpoint security, browser security and software supply-chain exposure. A single infected developer workstation can give attackers persistent access to repositories, build systems and cloud accounts. Stolen session cookies may bypass multi-factor authentication until the session is revoked or expires, while copied tokens can enable automated access long after the first compromise.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com