InstallFix clones of dev tools: are search ads your weak point?

TL;DR: InstallFix uses cloned installation pages, malicious search ads, and fake copy-and-paste commands to trick users into running infostealer payloads, with Push Security observing campaigns targeting Claude Code and NotebookLM. The pattern shows that trust in developer tool install instructions is now a governance problem, not just a user-training issue.

NHIMG editorial — based on content published by Push Security: Attackers are cloning developer tool install pages to deliver infostealer malware through malicious search ads

By the numbers:

• 4 in 5 ClickFix lures we intercept are accessed from search engines.

Questions worth separating out

Q: How should security teams handle copy-paste install commands for developer tools?

A: They should treat copied install commands as executable code, not as documentation.

Q: Why do search ads create extra risk for developer tool installs?

A: Search ads can place a malicious clone above the legitimate result and make the page feel normal before the user clicks.

Q: What breaks when a terminal install page is cloned by attackers?

A: The trust model breaks.

Practitioner guidance

• Block direct execution of copied shell install commands where possible Route installation through reviewed package sources, signed artifacts, or managed software distribution so users are not pasting remote execution commands from arbitrary pages.
• Add browser-side detection for cloned install pages Monitor for lookalike domains, copy-to-clipboard command blocks, and search-ad referral patterns in the browser, because those signals often appear before endpoint malware runs.
• Treat session tokens and saved browser credentials as high-value identity material Harden cookie and token lifetimes, review where developer credentials are stored, and assume infostealers will target the browser before they target cloud control planes.

What's in the full article

Push Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The full list of observed domains, payload hosts, and command strings used in the InstallFix campaign
• Process-level teardown of the Windows and macOS execution chain, including the mshta and staging sequence
• Campaign indicators and browser signals used to detect lookalike install pages in real time
• Additional examples across Claude Code, NotebookLM, Homebrew, and other impersonated tools

👉 Read Push Security's analysis of the InstallFix campaign targeting Claude Code →

InstallFix clones of dev tools: are search ads your weak point?

Explore further

View Full Forum →  |  NHI Foundation Course →