Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign

“We saw different sites executing identical binaries, further indicating that these are part of a single attacker campaign,” Push Security says.The cybersecurity firm also notes that threat actors are abusing legitimate domains such as Cloudflare Pages, Squarespace, and Tencent EdgeOne to host malicious content and blend with normal web traffic.Threat actors were also seen hosting malicious terminal commands on public pages on claude.ai, distributing the Cuckoo infostealer via clones of the Homebrew website, hosting rogue OpenClaw installers in GitHub repositories, and distributing malware through NPM packages mimicking Claude Code.“But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation,” Push Security notes.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Infostealer Malware Delivered in EmEditor Supply Chain Attack

The cybersecurity firm also notes that threat actors are abusing legitimate domains such as Cloudflare Pages, Squarespace, and Tencent EdgeOne to host malicious content and blend with normal web traffic.Threat actors were also seen hosting malicious terminal commands on public pages on claude.ai, distributing the Cuckoo infostealer via clones of the Homebrew website, hosting rogue OpenClaw installers in GitHub repositories, and distributing malware through NPM packages mimicking Claude Code.“But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation,” Push Security notes.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Infostealer Malware Delivered in EmEditor Supply Chain Attack

Threat actors were also seen hosting malicious terminal commands on public pages on claude.ai, distributing the Cuckoo infostealer via clones of the Homebrew website, hosting rogue OpenClaw installers in GitHub repositories, and distributing malware through NPM packages mimicking Claude Code.“But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation,” Push Security notes.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Infostealer Malware Delivered in EmEditor Supply Chain Attack

“But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation,” Push Security notes.Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Infostealer Malware Delivered in EmEditor Supply Chain Attack

Related:Microsoft Warns of ClickFix Attack Abusing DNS LookupsRelated:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Infostealer Malware Delivered in EmEditor Supply Chain Attack

Related:Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’Related:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Infostealer Malware Delivered in EmEditor Supply Chain Attack

Related:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Infostealer Malware Delivered in EmEditor Supply Chain Attack

Related:Infostealer Malware Delivered in EmEditor Supply Chain Attack

Ionut Arghire is an international correspondent for SecurityWeek.

Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure.

Source: SecurityWeek