Fake Claude Code site served trojan — detected by Windows Defender as Trojan:Win32/Kepavll!rfn

A Reddit user on r/ClaudeAI reported that the first Google search result for "Claude Code" was a fake website with the exact same design language as the official Anthropic site. After downloading and running a PowerShell install command, Windows Defender caught the payload as Trojan:Win32/Kepavll!rfn.

What happened

• The user, who has been online since 1996 and works mostly on macOS, needed to use Claude Code on a rarely used Windows PC.
• Clicked the first Google result for "Claude Code" — the site looked identical to the official one.
• Ran the PowerShell install command (similar to the legitimate iex (irm <url>) pattern) without verifying the URL.
• Windows Defender immediately flagged the download as Trojan:Win32/Kepavll!rfn.

How to avoid this

• Always check the domain: official Claude Code downloads are on docs.anthropic.com or the official GitHub repository, not a lookalike.
• For Windows, use winget install ClaudeCode or download the MSI directly from the official source.
• Never run iex (irm ...) from a search result — manually verify the URL before pasting into PowerShell.