Would-be vibe coders looking to experiment with Claude Code are being targeted by malicious install guide websites that pop up in Google search results and install malware when executed.
Dubbed InstallFix by Push Security, the scheme is a modification of the ClickFix social engineering scam. It inserts instructions to download malware during the Claude Code install process on cloned websites. The attack bypasses many standard malware protections because the user initiates it. Where that often requires the user to open a run dialogue box or perform a CAPTCHA check, InstallFix adds a dodgy URL to an install guide you already trust, making it easy to slip up.
Adding an extra wrinkle is that InstallFix is showing up in Google results as sponsored links when searching for “Claude Code.”
Ideally, you’d avoid pasting URLs you find in guides (or anywhere), but it’s not uncommon to see this when installing some tools online. Indeed, the legitimate Claude Code install site asks you to do just that (this is the real one, check the URL). It’s this curl-to-bash command shown in the image below that causes so many problems when pasted into your terminal and actioned.
Would you notice if the URLs in these legit instructions were slightly different? (Credit: Jon Martindale/Anthropic)
As Push Security describes, the cloned sites look nearly identical to the real thing, with the same logos, layout, and functioning links. But if you check the instructions, you’ll see the URLs for downloading files point to an attacker-controlled server that can download anything it likes, often without tripping your anti-malware software.
As with many modern malware attacks, this one is multipronged as well. When you run the download command, it installs an executable that then downloads more malware from a remote URL. It appears to be related to the Amatera Stealer malware and primarily targets user data, grabbing passwords, cookies, and session tokens. It’s also hard to delete.
Recommended by Our Editors
Although this particular campaign targets Claude Code, InstallFix scams are growing in number and are likely to proliferate further as AI tools attract users looking to vibe code for the first time.
Be careful out there. Check the URLs of the sites you’re visiting, and be extra wary when copying and pasting anything into a terminal from a website you don’t know much about.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Jon Martindale
Contributor
Experience
Jon Martindale is a tech journalist from the UK, with 20 years of experience covering all manner of PC components and associated gadgets. He’s written for a range of publications, including ExtremeTech, Digital Trends, Forbes, U.S. News & World Report, and Lifewire, among others. When not writing, he’s a big board gamer and reader, with a particular habit of speed-reading through long manga sagas.
Jon covers the latest PC components, as well as how-to guides on everything from how to take a screenshot to how to set up your cryptocurrency wallet. He particularly enjoys the battles between the top tech giants in CPUs and GPUs, and tries his best not to take sides.
Jon’s gaming PC is built around the iconic 7950X3D CPU, with a 7900XTX backing it up. That’s all the power he needs to play lightweight indie and casual games, as well as more demanding sim titles like Kerbal Space Program. He uses a pair of Jabra Active 8 earbuds and a SteelSeries Arctis Pro wireless headset, and types all day on a Logitech G915 mechanical keyboard.
Read Full Bio
