Fake Claude Code and Codex installers via Google Sites deliver fileless in-memory credential stealer targeting AI developer sessions

Threat actors used Google Sites to host fake Claude Code and Codex installers delivering a fileless in-memory stealer targeting developer credentials, AI API keys, and browser sessions.

Fake Claude Code / Fake Codex (impersonation campaign)Credential exposureSupply chain impersonation / fileless credential stealer targeting AI developer toolingDeveloper workstations / AI agent session credentials / CI/CD API keys

What happened

Developer visits a fake Claude Code or Codex install page on Google Sites, is instructed to paste a mshta.exe command in the Run dialog, which delivers a fileless infostealer exfiltrating AI API keys, browser credentials, and developer environment secrets.

Why it matters

Stolen developer API keys allow full impersonation of AI agent sessions. Specific AI tools targeted: Claude Code, Cline, Continue.dev. Browser credentials, email credentials, and crypto wallets also stolen. Active campaign across 88 domains as of June 2026.

Missing authorization check

AI agent frameworks should not treat bare API key possession as sufficient authorization for high-impact actions — a key alone cannot prove the session legitimacy or the human operator intent.

Would PP block it?

PP receipts bind agent actions to channel-authenticated approvals. Even if an attacker uses a stolen Claude Code API key to call the model, they cannot produce a valid authority receipt for actions requiring human approval — the receipt requires a separate verified channel the attacker does not control.

Incident analysis

Timeline and technical read

Timeline

2026-03-01
Campaign begins. EclecticIQ later dates the earliest infrastructure to early March 2026. SEO poisoning targeting Claude Code download queries goes active.
2026-05-14
Straiker analysis finds 88 domains across 10 hosting platforms, 32 still active and serving malicious content.
2026-06-01
Cyderes / HackRead report fileless infostealer variant targeting fake Anthropic sites specifically.
2026-06-03
ANY.RUN (@anyrun_app) publishes analysis of ClickFix variant using Google Sites to deliver in-memory stealer targeting Claude Code and Codex.
2026-06-04
CybersecurityNews publishes coverage of the Google Sites-hosted campaign.

Technical breakdown

Google Sites hosting used specifically because sites.google.com is allowlisted by corporate firewalls, email security gateways, and web filters — bypassing controls that would catch unknown domains.
ClickFix social engineering: victim shown a fake error or verification prompt instructing them to paste a mshta.exe command in Run dialog or Terminal.
mshta.exe fetches a 6.7 MB MP3/HTA polyglot — audio file headers pass file-type inspection; embedded HTA script executes. Deliberate large payload size designed to crash sandbox analysis tools.
Payload runs entirely in memory via reflective .NET Assembly.Load(byte[]) inside PowerShell — no files written to disk, evading signature-based AV and most EDR solutions.
Specific targeting of AI coding agent credential stores (Claude Code, Cline, Continue.dev) is a novel targeting category. C2 routing through Binance Smart Chain smart contract is takedown-resistant — no domain to seize, no server to shut off.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Agent session authentication, high-impact action approval gates
Still needs: No mechanism to distinguish stolen API key sessions from legitimate developer sessions; no per-action authority binding beyond key possession
Receipt required for: Any high-impact agent action initiated via API key — code commits, deployments, cloud resource modifications — must require a receipt binding the action to a verified human approval channel

Stolen API keys allow model calls but cannot produce PP authority receipts — receipts require channel authentication beyond API key possession. A PP-gated action requires a receipt tying the request to a verified human approval channel that the attacker stolen key cannot replicate.

Related incidents and controls

High2026-05-07

Fake OpenAI repository on Hugging Face reached #1 trending with 244K downloads before delivering credential-stealing infostealer

Critical2026-05-11

Mini Shai-Hulud supply chain worm compromises TanStack, Mistral AI, and 170+ npm/PyPI packages via GitHub Actions cache poisoning

High2025-10-08

CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

Credential Gate Authorization Receipts

Start small

Put the relevant gate at this action boundary.

This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop