Signal
Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-03-09 10:48 UTCUpdated 2026-03-10 00:13 UTC
rss
claude_code
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
Fake installation guide pages for Anthropic's Claude Code have been leveraged to spread the Amatera information-stealing malware as part of a new InstallFix attack campaign, a new variant of the ClickFix social engineering method, reports BleepingComputer.
Score total
1.57
Momentum 24h
5
Posts
5
Origins
5
Source types
1
Duplicate ratio
0%
All evidence
All evidence
Amatera infostealer deployed via phony Claude Code guides
SC Media · scworld.com · 2026-03-10 00:13 UTC
Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials
thehackernews · thehackernews.com · 2026-03-09 18:31 UTC
Fake Claude Code install pages hit Windows and Mac users with infostealers
Malwarebytes Threat Analysis · malwarebytes.com · 2026-03-09 13:07 UTC
Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign
SecurityWeek · securityweek.com · 2026-03-09 11:42 UTC
Fake Claude Code install pages highlight rise of “InstallFix” attacks
Help Net Security · helpnetsecurity.com · 2026-03-09 10:48 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- SC Media (1)
- thehackernews (1)
- Malwarebytes Threat Analysis (1)
- SecurityWeek (1)
- Help Net Security (1)
Top origin domains (this list)
- scworld.com (1)
- thehackernews.com (1)
- malwarebytes.com (1)
- securityweek.com (1)
- helpnetsecurity.com (1)