According to GoPlus, malicious Google Search results and ads for Claude Code led users to cloned install pages designed to steal login data, crypto wallets, and other sensitive system information.
GoPlus warned on March 11 that top Google Search results and sponsored ads for Claude Code were serving malicious installers through pixel-perfect copies of the official download pages. According to the alert, the malware was built to steal passwords, cookies, session tokens, crypto wallets, account credentials, and system information. The warning highlights a search-ad phishing tactic in which attackers imitate legitimate software pages to distribute malware and capture sensitive data.