Infosecurity Magazine reported on 22 May 2026 that EclecticIQ researchers uncovered an active SEO-poisoning campaign in which threat actors registered look-alike domains (claudecode[.]co[.]com and claude-setup[.]com, alongside parallel Gemini CLI lures) to impersonate Anthropic's Claude Code installation pages and deliver a Windows infostealer. Victims are tricked into copying a PowerShell command from a cloned install page; execution fetches an in-memory payload that exfiltrates browser credentials and cookies, Slack, Microsoft Teams, Discord, Mattermost, Zoom and Telegram session data, VPN configs, cryptocurrency wallets and cloud-storage artifacts to a C2 at events[.]ms709[.]com. The operator also retains arbitrary remote code execution on infected hosts, enabling hands-on follow-on intrusion. Initial domains were observed from early March 2026 and the campaign appears geographically tuned to US and UK developers. Users should install Claude Code only from official Anthropic sources and treat any installer that asks them to paste a PowerShell one-liner as hostile.
// Alert
Claude threat report
// ClaudeHIGH
// Get alerts for Claude