Google Serves Malware Through Fake Claude Code Ad in Top Search Result

Summary

Security researcher Adam Geitgey has discovered that Google is serving malware disguised as Claude Code installation instructions through a paid advertisement appearing at the top of search results. When users search for "download claude code," they encounter an ad linking to a fake website that mimics Anthropic's legitimate Claude Code site. The malicious site tricks users into running a compromised curl command that downloads and executes multiple layers of encoded malware payloads.

The attack specifically targets developers' trust in command-line installation processes, modifying the legitimate installation command with a malicious URL. The payload chain includes base64-encoded scripts and gzip files that ultimately download an executable from a known malicious domain and install it at /tmp/helper. The binary has been flagged on multiple malware reporting sites, though its exact payload remains unclear.

This incident highlights ongoing vulnerabilities in Google's advertising verification process, particularly for technical products where users are expected to execute terminal commands. As of the report's publication, the malicious advertisement remained active on Google Search. The case underscores the difficulty users face in reporting security issues to Google and raises questions about the tech giant's responsibility to protect users from sophisticated malware delivery through its advertising platform.

• The malicious advertisement was still active at the time of reporting, with no clear mechanism for users to report such issues to Google