If you searched Google for “Claude Code” in March and clicked the top result, you might have installed malware instead of Anthropic’s AI coding tool. That is not a hypothetical. It happened.
Bybit’s security team uncovered a malware campaign that used SEO poisoning to push a fake Claude Code installation page to the top of Google search results. macOS users who clicked the link downloaded what looked like a normal installer. Instead, it deployed a two-stage attack chain that stole browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and cryptocurrency wallet data from over 250 browser extensions.
The campaign was first spotted on March 12, 2026. The fake site looked almost identical to Anthropic’s real documentation. Most people would not have noticed the difference.
How Does the Claude Code Crypto Malware Work?
The attack was built in two stages. Both were designed to be invisible.
Stage one: when a user downloaded the fake installer, it dropped a Mach-O binary onto their Mac. That binary deployed a script-based info stealer that Bybit’s researchers said shows similarities to AMOS and Banshee, two well-known malware families that have been targeting Apple users since 2023. The stealer ran through a multi-phase process to dig through the system and grab everything it could find.
Stage two: it went after crypto specifically. The malware scanned for over 250 browser-based wallet extensions, the kind that millions of crypto users have installed in Chrome, Brave, and Firefox. It also targeted desktop wallet apps. In some cases, it tried to replace legitimate copies of Ledger Live and Trezor Suite with trojanised versions. So even if you checked your apps afterwards, they would look normal but would be quietly sending your data to the attacker.
The malware also used a clever social engineering trick. It popped up a fake macOS password prompt that looked exactly like the real system dialog. If you typed your password, it was captured and used to unlock your Keychain, which stores all your saved passwords, authentication tokens, and encryption keys. One password, and the attacker had everything.
Why Did Hackers Target Claude Code Users?
Claude Code is Anthropic’s command-line AI coding tool. It has become one of the most popular developer tools in 2026, used by software engineers, crypto developers, and AI researchers to write and debug code directly from their terminal.
That popularity is exactly what made it a target. CryptoTimes reported that developers are “high-value victims” because they typically have direct access to codebases, cloud infrastructure, signing keys, and personal crypto wallets on the same machine. A single compromised developer laptop can cascade into source code theft, CI/CD pipeline access, and in the worst cases, the kind of multisig signing exploits that enabled the $1.4 billion Bybit hack in February 2025 and the $285 million Drift Protocol exploit this month.
Microsoft’s Defender Experts team confirmed in February 2026 that macOS-targeted infostealer campaigns are increasingly using fake AI tool installers as delivery vehicles. Claude Code was not the first AI tool to be spoofed this way, and it will not be the last.
How Did Bybit Catch It?
This is where the story gets interesting. Bybit used AI to catch an AI-era attack.
The exchange’s Security Operations Center runs what it calls an “AI-assisted SOC” that can move from detection to full kill chain analysis in a single operational session. David Zong, Bybit’s Head of Group Risk Control and Security, said the entire process of decompiling the malware, extracting indicators, drafting the threat report, and writing detection rules was completed in one session. Work that used to take a team of analysts across multiple shifts was done in hours.
Bybit identified the malicious infrastructure on March 12, completed its analysis the same day, and published public detection guidance on March 20. The speed matters. Every day a fake installer sits at the top of Google is another day that developers are getting compromised.
Zong was blunt about what this means for the future: “We will face an AI war. Using AI to defend against AI is an inevitable trend.”
How to Protect Yourself From Fake AI Tool Installers
If you use Claude Code or any other AI developer tool, there are a few things you should do right now.
First, only download from official sources. Claude Code’s real installation instructions are on Anthropic’s official website and documentation. Never trust a Google search result that takes you to an unfamiliar domain, even if it looks legitimate.
Second, check your browser extensions. If you have crypto wallet extensions installed, verify they have not been modified. Look for unexpected permissions, recent update dates you do not recognise, or extensions you do not remember installing.
Third, check your desktop wallet apps. If you use Ledger Live or Trezor Suite, delete them and reinstall fresh from the official download pages. The malware in this campaign specifically tried to replace these apps with trojanised copies.
Fourth, change your passwords. If you entered your macOS password into any prompt you were not expecting, assume your Keychain has been compromised. Change your passwords for any service stored in Keychain, especially exchange accounts, email, and cloud infrastructure.
Fifth, use a hardware wallet. Keeping your crypto on a hardware device means that even if your laptop is compromised, the attacker cannot move funds without physical access to the device.
Frequently Asked Questions
What is the Claude Code malware campaign?
Hackers used SEO poisoning to push a fake Claude Code installation page to the top of Google search results in March 2026. macOS users who downloaded the fake installer had their browser credentials, crypto wallets, and system passwords stolen by malware similar to AMOS and Banshee variants.
How many crypto wallets were targeted by the Claude Code malware?
Bybit researchers identified targeted access attempts against more than 250 browser-based wallet extensions and multiple desktop wallet applications including Ledger Live and Trezor Suite. The malware attempted to replace legitimate wallet apps with trojanised versions.
How can I tell if I downloaded the fake Claude Code installer?
If you downloaded Claude Code from any source other than Anthropic’s official website or documentation, you may be affected. Check your browser extensions for unexpected changes, reinstall desktop wallet apps from official sources, and change any passwords you may have entered into unexpected macOS system prompts.
