Post by Expel

Developers looking to install Claude Code might be downloading malware instead. Meet InstallFix. In just one month, fake Claude Code installation pages have surged, accounting for 13% of all malware incidents we observed in March 2026. How does it work? Cybercriminals clone Anthropic's official installation documentation but swap the legitimate terminal commands with malicious ones. When users copy and paste the code into their terminal, they unknowingly pull down a remote payload. The key insight: Attackers are getting highly sophisticated with evasion. We are seeing variants that use polyglot files, such as hiding malicious HTML inside an MSIX bundle. This forces the payload to be executed via mshta, deliberately causing standard sandboxes and analysis tools to fail. Both Windows and macOS environments are actively being targeted using native tools like PowerShell, mshta, and curl. To defend against this, organizations should block newly registered domains at the network level, implement clipboard protections, and restrict unexpected native binaries. Want the full technical breakdown and indicators of compromise? Read our latest Threat Intel blog to learn how to protect your team from the InstallFix watering hole attack: https://lnkd.in/ew9UQiS3