A new report from the Cyber Defence Centre at Ontinue has found a campaign targeting software developers with fake installation pages that look like official sites for AI tools like Claude Code.
The attack begins when a user searches for ‘install Claude code’ and clicks on a sponsored result. This link goes to a lookalike page that shows an installation command. While the real command uses the host ‘claude.ai,’ the fake version uses ‘events.msft23.com.’ Running this command enables Invoke-Rest
