What a Fake Claude Download Says About Security Today

Huntress recounts an incident where a malicious sponsored Google search result delivered a multi-stage macOS payload that used base64+gzip encoding and obfuscated AppleScript to deploy a second payload targeting the macOS keychain (Claude Code credentials). The infected engineer shut down and reported the activity immediately; Huntress SOC contained the infection, rotated credentials, and found no evidence the attackers succeeded. The report emphasizes the rising sophistication of malvertising, the importance of rapid reporting and response, and basic controls (MFA, vetted AI tools, password managers) to improve resilience.