Fake Anthropic Sites Target Claude Code Users With Infostealer

Cybercriminals have set up a network of fake websites impersonating Anthropic, the AI safety company behind Claude, with the goal of distributing a fileless infostealer to developers who use Claude Code. The campaign, reported by Hackread, exploits the tool's surging popularity by luring users who search for Claude Code downloads or documentation to convincing lookalike domains.

The attack is timed to coincide with a period of rapid adoption. Anthropic's revenue run rate recently hit $4.7 billion, driven in large part by Claude Code's explosive growth, making the developer tool an attractive target for threat actors looking for a concentrated pool of technically sophisticated victims. Developers often run code from the command line with elevated permissions, which makes them high-value targets for credential and token theft.

How the Attack Works

The campaign relies on typosquatted or lookalike domains that mimic official Anthropic pages. Visitors are prompted to download what appears to be a legitimate Claude Code installer or extension. Instead, the payload executes a fileless infostealer directly in memory, avoiding common file-based antivirus detection. Fileless malware of this kind is particularly dangerous because it leaves minimal traces on disk, making forensic investigation and endpoint detection harder.

Once executed, infostealers of this type typically harvest browser-stored credentials, API keys, session tokens, and SSH keys. For developers working with AI tooling, stolen API keys can have significant financial and operational consequences, since compromised keys may be used to rack up usage charges or exfiltrate proprietary prompts and code.

Fileless attacks are increasingly common against developer-focused tools because the victims tend to be technically confident, which can reduce suspicion when a command-line installer asks for permissions.Hackread security analysis

Why Claude Code Users Are a Target

Claude Code has undergone significant updates in recent months. Version 2.1.152 shipped Auto Mode to all users alongside skill controls and message hooks, expanding its capabilities and drawing more developers into the ecosystem. A larger, more active user base naturally widens the pool of potential victims for phishing and malware campaigns.

Anthropic has been transparent about operational challenges with Claude Code, which means developers frequently search for updates, patches, and troubleshooting guides. That search behavior is exactly what attackers exploit, bidding on related keywords or seeding fake results that appear alongside legitimate Anthropic pages.

How to Stay Safe

The most straightforward defense is to access Claude Code exclusively through Anthropic's official website or verified package repositories such as npm or PyPI. Developers should verify the domain carefully before downloading anything and treat any unsolicited prompt to install software or run a script with skepticism. Enabling multi-factor authentication on accounts associated with API keys adds another layer of protection even if credentials are compromised.

Security teams should also audit developer workstations for unusual in-memory processes and monitor for unexpected API key usage. Organizations that allow employees to use Claude Code for autonomous or agentic tasks should review their key management policies, given how much access those credentials can carry. The broader risk here is not just individual credential theft but potential compromise of CI/CD pipelines and production environments connected to those keys.

As AI coding tools become standard in professional workflows, campaigns targeting their users are likely to increase. This incident is a reminder that the security surface area around AI development tools deserves the same scrutiny as any other enterprise software.