Artificial Intelligence
Claude feature used to trick AI developers into running malware
For seven weeks, a malvertising operation ran quietly through the one channel security teams weren’t watching: a fully legitimate AI platform, exploited from the inside.
TrendAI Research tracked the campaign from April 8 to June 14 2026, and what it found upends a comfortable assumption in the security industry. Developers and AI power users are supposed to be the hard targets, too technical, too sceptical, too used to reading a terminal command before running it. This campaign got past them anyway, and it did so by using infrastructure the victims already trusted.
The operation began conventionally enough. Attackers bought Google Ads targeting searches for popular AI developer tools, including Claude Code, Claude Desktop, ChatGPT Codex, Perplexity, Cursor IDE and JetBrains. Clicking the ad sent victims to lookalike pages hosted on GitLab Pages, under the trusted *.gitlab.io domain. Ninety-two malicious hostnames were built this way across the first four waves of the campaign, rotating fast enough to stay ahead of takedowns.
That part of the playbook isn’t new. Malvertising against developer tools has been running for years, and defenders know roughly what to look for: a slightly wrong domain, a certificate that doesn’t match, a URL that just feels off.
In May, the operators stopped hosting their own pages and started using Claude’s Share Chat feature instead. Rather than building a lookalike site, they created a conversation on claude.ai, shared it, and pointed their ads directly at the resulting URL. The link was real. The domain was real. The certificate was valid. Every automated defence that depends on spotting a fake had nothing to flag.
The shared chat itself impersonated Apple Support or a "Corda Team," with a clean layout and step-by-step instructions telling the visitor to open Terminal and paste a command. It read like routine troubleshooting. Anyone who has ever fixed a Mac problem by copying a line into Terminal would recognise the format immediately, which is exactly the point.
That command, once decoded, fetched a script that checked for a Russian keyboard layout before doing anything else. If the check found one, it quietly stood down. If not, it deployed MacSync, an infostealer designed to harvest browser credentials, cookies, SSH keys and cryptocurrency wallet files and then send them all to a second server. At least 45 separate shared conversations were used this way, with the busiest single link drawing 55 confirmed victims across multiple countries.
Why this particular pivot matters
Security tooling is built to catch anomalies: a suspicious domain, a typo, a certificate mismatch. None of those signals exist when the malicious content is sitting on the legitimate platform’s own servers. There’s no bad domain to block, because the domain is claude.ai. There’s no reputation score to flag, because the reputation is real. The only thing standing between the victim and the malware becomes the victim’s own judgment in the moment, which is precisely the layer social engineering is designed to defeat.
The geography backs this reading up. Once the campaign shifted to Claude.ai, the targeting broadened beyond its original focus in Taiwan, Malaysia and Japan to include Singapore, India, Italy and France, suggesting the operators were actively tuning their approach as they gathered performance data.
What organisations should take from this
TrendAI notified Anthropic, which investigated, banned the accounts involved, disabled the malicious conversations, and is now building additional abuse detection into the sharing feature. That response matters, but it doesn’t retroactively fix the underlying problem: any platform that lets users publish content on a trusted domain is a potential delivery mechanism for this kind of attack, whether that’s Claude, GitLab Pages, or the next service attackers decide to test.
Two practical habits reduce exposure more than any single tool does. First, treat any instruction to paste a terminal or PowerShell command as a red flag by default, regardless of how official the surrounding page looks, and regardless of which domain it’s hosted on. Second, install developer tools through official package managers such as brew, npm or pip rather than following web-based instructions at all, which removes the decision point entirely.
The uncomfortable lesson here isn’t really about Claude. It’s that trust in a domain was never a reliable substitute for scrutiny of the instruction itself, and this campaign is a preview of how often that gap will get tested going forward.
Fyodor Yarochkin is a Threat Solution Architect at Trend Micro Research
Main image courtesy of iStockPhoto.com and Olemedia
Please take 30 seconds to register
Already have an account? Sign in
Related Stories
AI News
World Cup 2026: France going out? Chris Sutton's score predictions for quarter
3 minutes ago
AI News
Honolulu Homeless Services Program Too Disorganized To Assess, Auditor Says
4 minutes ago
AI News
What will Vancouver look like now FIFA World Cup has moved on?
4 minutes ago
AI News
Trump says Ukraine will get licence to produce Patriot missiles
4 minutes ago
AI News
Wreckage of missing cargo plane found off Pakistan coast as search continues for crew
4 minutes ago
AI News
Al Potter, N.L. man serving life sentence for murder, dies in Quebec prison
5 minutes ago
AI News
Indictments tying Bishnoi to Surrey, B.C., killing detail alleged global criminal network
5 minutes ago
AI News
Manitoba MPs announce work permit extensions for provincial nominee candidates
5 minutes ago