Wednesday, 08 July 2026 PDT | 06:43 PM
The 1 News Alt Logo Text Smart News for Global Indians

Artificial Intelligence

AI News July 09, 2026 06:01 AM
Artificial Intelligence

Claude feature used to trick AI developers into running malware

For seven weeks, a malvertising operation ran quietly through the one channel security teams weren’t watching: a fully legitimate AI platform, exploited from the inside.

TrendAI Research tracked the campaign from April 8 to June 14 2026, and what it found upends a comfortable assumption in the security industry. Developers and AI power users are supposed to be the hard targets, too technical, too sceptical, too used to reading a terminal command before running it. This campaign got past them anyway, and it did so by using infrastructure the victims already trusted.

The operation began conventionally enough. Attackers bought Google Ads targeting searches for popular AI developer tools, including Claude Code, Claude Desktop, ChatGPT Codex, Perplexity, Cursor IDE and JetBrains. Clicking the ad sent victims to lookalike pages hosted on GitLab Pages, under the trusted *.gitlab.io domain. Ninety-two malicious hostnames were built this way across the first four waves of the campaign, rotating fast enough to stay ahead of takedowns.

That part of the playbook isn’t new. Malvertising against developer tools has been running for years, and defenders know roughly what to look for: a slightly wrong domain, a certificate that doesn’t match, a URL that just feels off.

In May, the operators stopped hosting their own pages and started using Claude’s Share Chat feature instead. Rather than building a lookalike site, they created a conversation on claude.ai, shared it, and pointed their ads directly at the resulting URL. The link was real. The domain was real. The certificate was valid. Every automated defence that depends on spotting a fake had nothing to flag.

The shared chat itself impersonated Apple Support or a "Corda Team," with a clean layout and step-by-step instructions telling the visitor to open Terminal and paste a command. It read like routine troubleshooting. Anyone who has ever fixed a Mac problem by copying a line into Terminal would recognise the format immediately, which is exactly the point.

That command, once decoded, fetched a script that checked for a Russian keyboard layout before doing anything else. If the check found one, it quietly stood down. If not, it deployed MacSync, an infostealer designed to harvest browser credentials, cookies, SSH keys and cryptocurrency wallet files and then send them all to a second server. At least 45 separate shared conversations were used this way, with the busiest single link drawing 55 confirmed victims across multiple countries.

Why this particular pivot matters

Security tooling is built to catch anomalies: a suspicious domain, a typo, a certificate mismatch. None of those signals exist when the malicious content is sitting on the legitimate platform’s own servers. There’s no bad domain to block, because the domain is claude.ai. There’s no reputation score to flag, because the reputation is real. The only thing standing between the victim and the malware becomes the victim’s own judgment in the moment, which is precisely the layer social engineering is designed to defeat.

The geography backs this reading up. Once the campaign shifted to Claude.ai, the targeting broadened beyond its original focus in Taiwan, Malaysia and Japan to include Singapore, India, Italy and France, suggesting the operators were actively tuning their approach as they gathered performance data.

What organisations should take from this

TrendAI notified Anthropic, which investigated, banned the accounts involved, disabled the malicious conversations, and is now building additional abuse detection into the sharing feature. That response matters, but it doesn’t retroactively fix the underlying problem: any platform that lets users publish content on a trusted domain is a potential delivery mechanism for this kind of attack, whether that’s Claude, GitLab Pages, or the next service attackers decide to test.

Two practical habits reduce exposure more than any single tool does. First, treat any instruction to paste a terminal or PowerShell command as a red flag by default, regardless of how official the surrounding page looks, and regardless of which domain it’s hosted on. Second, install developer tools through official package managers such as brew, npm or pip rather than following web-based instructions at all, which removes the decision point entirely.

The uncomfortable lesson here isn’t really about Claude. It’s that trust in a domain was never a reliable substitute for scrutiny of the instruction itself, and this campaign is a preview of how often that gap will get tested going forward.

Fyodor Yarochkin is a Threat Solution Architect at Trend Micro Research

Main image courtesy of iStockPhoto.com and Olemedia

Please take 30 seconds to register

Already have an account? Sign in