Threat actors are using cloned installations for popular AI tools to trick individuals into downloading malware.

Threat actors are cloning installation pages for popular developer tools—such as Anthropic’s Claude Code CLI—and replacing legitimate commands with malware‑installing ones. Malvertising via Google Ads drives victims to these near‑identical fake pages, where executing the provided command triggers an Amatera Stealer infection. Attackers host malicious payloads on legitimate‑looking platforms such as Cloudflare Pages, Squarespace, and Tencent EdgeOne to blend with normal traffic. Variants have also been found impersonating Homebrew, claude.ai, GitHub repos, and NPM packages, indicating a broad, coordinated campaign.

Read more:

https://www.securityweek.com/cloned-ai-tool-sites-distribute-malware-in-installfix-campaign/