ACCORDING to Ontinue's Cyber Defense Center, a previously undocumented information stealer has been distributed through fake Claude Code installation pages that hijack Chromium browsers to bypass App-Bound Encryption and exfiltrate cookies, passwords and payment data from developer workstations.
The campaign, detailed on 11 May 2026, traced to three operator‑controlled domains registered within a six‑day window in April 2026, with victims arriving at the lookalike page after clicking sponsored search results for "install claude code." The lure page mirrored Claude Code documentation but embedded an altered one‑line installation command; the /install.ps1 file returned a verbatim copy of the genuine installer, yet the visible command redirected victims elsewhere.
Once run, the pasted command fetched a heavily obfuscated PowerShell loader of approximately 600 KB that enumerates Chromium-family browsers and reflectively injects a 4608‑byte native helper into a live browser process. The helper uses the browser’s IElevator2 COM interface to recover the App‑Bound Encryption key, and detection‑visible activity remains confined to the PowerShell layer to evade behavioural rule sets.
Ontinue notes the sample’s construction occurred within 60 days of the Chrome 144 release in January 2026, and the loader establishes persistence via a Windows scheduled task, exiting early if the host’s region matches an exclusion list.