Start a project

← All posts

Claude.ai Shared Chats Are Being Weaponized to Deliver Mac Malware

· Dracode · cybersecurity · developer-tools

An active malvertising campaign spotted this week is using Google Ads and publicly shared Claude.ai conversations to deliver a macOS infostealer at developers searching for “Claude mac download.” The attack requires no domain spoofing, no fake login page, and no suspicious URL — it uses Anthropic’s own infrastructure end to end.

The Infection Chain: One Legitimate URL, No Red Flags

Security engineer Berk Albayrak discovered the campaign while searching for the Claude desktop app on Google. BleepingComputer independently confirmed a second active variant running on entirely separate infrastructure, meaning this is not an isolated test.

The chain:

  1. A user searches for “Claude mac download” on Google.
  2. A sponsored result appears with claude.ai as the destination — not a lookalike domain, not a typo-squatted URL.
  3. The ad links to a publicly shared Claude.ai conversation presenting itself as an official “Claude Code on Mac” installation guide, falsely attributed to “Apple Support.”
  4. The chat instructs the user to open Terminal and paste a command.
  5. That command fetches a base64-encoded shell script from an attacker-controlled server, decodes it entirely in memory, and executes it — leaving minimal trace on disk.

The payload is delivered via polymorphic generation: the attacker’s server produces a uniquely obfuscated copy of the script for each request. Static AV signature matching fails by design.

How Attackers Turned a Collaboration Feature Into a Payload Host

Claude.ai lets users share conversations at public URLs under the claude.ai domain — a feature designed for collaboration that here becomes the attack surface.

Because the malicious instructions live inside a real claude.ai chat, the Google Ad can legitimately display claude.ai as the destination. Google’s ad verification passed because the URL resolves correctly to Anthropic’s infrastructure. The trust signal developers would normally use to evaluate a link — the domain — is completely valid.

This is a structural problem with any platform that lets users publish arbitrary content at a first-party domain. Dropbox shared links, Notion pages, and GitHub Pages have all been abused similarly. The novel angle here is using an AI assistant’s conversational format to make Terminal commands look like routine setup instructions from a recognizable source.

What MacSync Steals — and Who It Deliberately Skips

If the script executes, it deploys a variant of the MacSync macOS information stealer. Targets:

  • Browser saved passwords and credentials
  • Browser session cookies (authentication tokens included)
  • macOS Keychain contents

The Keychain is the critical exposure for most development teams. It stores Wi-Fi credentials, private SSH keys, app credentials, and iCloud data. Depending on how credential helpers are configured, AWS access keys, API tokens, and signing certificates may also be reachable.

One variant performs victim profiling before sending the main payload. It checks whether Russian or CIS-region keyboard input sources are configured on the machine. If so, the script exits cleanly and sends a cis_blocked status ping to the attacker’s server. It also collects the external IP, hostname, OS version, and keyboard locale before proceeding. The operators are running a commercially motivated campaign and tracking their victim pool in real time — not spraying indiscriminately.

Why Claude Mac Malware via Shared Chat Is Hard to Catch

The standard defensive layers all fail here.

Domain reputation filtering passes: claude.ai has a perfect reputation score. No malicious domain appears in the visible chain until the Terminal command fires.

Ad verification passes: Google’s policies require ads to point to their claimed domain. The ad does — to claude.ai. There is nothing to reject.

URL scanners and email gateways have nothing to flag in the Google Ad or the claude.ai link itself.

Antivirus signatures are bypassed by polymorphic delivery, where each payload is generated uniquely per request, and by in-memory execution that writes nothing to disk.

The only control that reliably stops this attack is user behavior: never paste Terminal commands from a source you did not deliberately navigate to for that exact purpose.

What We Tell Every Developer on Our Team

We use Claude Code daily as part of our development workflow. Here is the guidance we are sharing internally:

  • Install Claude Code only from Anthropic’s official documentation at docs.anthropic.com. Do not search for it — navigate directly.
  • Treat any page that hands you a Terminal command as suspicious, even when the domain is legitimate. Cross-reference with the vendor’s official docs before running anything.
  • Audit your macOS Keychain for high-value secrets. Rotate API keys and SSH keys that have been sitting there for months. Anything you would not want exfiltrated should have short rotation windows.
  • Run a network monitor like Little Snitch. MacSync exfiltrates stolen data over the network; an unexpected outbound connection from a shell process is a signal that disk-based AV will miss.

The deeper issue is not this specific campaign — it will be taken down and replaced by a variant. The issue is that AI platforms with shared content features are becoming an attractive hosting layer for social engineering. Users trust those domains. Attackers know it. This class of attack will get more common, not less.

If you are auditing your team’s credential hygiene and developer security posture, get in touch.

Sources

  1. Hackers abuse Google ads, Claude.ai chats to push Mac malware — BleepingComputer, May 10, 2026
  2. Hackers Abuse Google Ads and Claude.ai Shared Chats to Distribute macOS Malware — gHacks Tech News, May 11, 2026
  3. Mac Users Warned Over Fake Claude Install Instructions — TechRepublic, May 2026