Fake Claude Code Installers Steal Developer API Keys via Google Ads
Key Questions
What is the fake Claude Code installer attack?
Fake installers on 32 live sites via Google Ads deliver ACRStealer malware that steals API keys and credentials. It uses fileless malware, post-quantum encryption, and blockchain wallet hijacking.
How can developers avoid the fake installer threat?
Users must verify installation sources exclusively from official channels. The attack is an active supply-chain compromise targeting developer credentials.
What does the malware do after installation?
It steals API keys and other credentials while employing post-quantum encryption. It also performs blockchain-based wallet hijacking.
Are there related security concerns for CI/CD pipelines?
Yes, securing CI/CD in an agentic world is critical, especially with Claude Code GitHub actions. The malware specifically targets developer environments used in such pipelines.
How widespread is the current attack campaign?
It involves 32 live malicious sites promoted through Google Ads. The campaign focuses on stealing keys from unsuspecting Claude Code users.
Active supply-chain attack: fake Claude Code installers on 32 live sites via Google Ads deliver ACRStealer malware targeting API keys and credentials. Fileless malware, post-quantum encryption, blockchain-based wallet hijacking. Builders must verify installation sources from official channels only. Highly actionable security alert.