At least one developer has reported downloading a trojan after clicking the top Google result for "Claude Code" - and the malicious listing was still live as of May 10, 2026.
The attack uses a technique called SEO poisoning, where threat actors build convincing fake software pages and optimize them to outrank official sources in search results. A developer searching for Claude Code, Anthropic's command-line coding assistant, clicks the first result, lands on a site that looks legitimate, and downloads an installer that's actually malware.
The real Claude Code installs through npm with a single command: npm install -g @anthropic-ai/claude-code. Anthropic does not publish a standalone Windows installer or direct-download .exe for the tool. If you got Claude Code from anywhere other than the npm registry or Anthropic's official docs at docs.anthropic.com, treat your machine as compromised.
If You Downloaded From an Unverified Source
Act fast. Developer machines running AI coding tools are high-value targets because they typically hold API keys for multiple services (Anthropic, OpenAI, AWS, GitHub), source code, and sometimes cloud infrastructure credentials - all in one place. A trojan executed once can exfiltrate all of it in seconds.
Steps to take immediately:
- Revoke all API keys on that machine - Anthropic, OpenAI, AWS IAM keys, GitHub personal access tokens, anything
- Disconnect from sensitive networks before doing anything else
- Check running processes for anything unfamiliar using Task Manager or
ps aux - Run a full malware scan with an up-to-date tool (Malwarebytes, Windows Defender offline scan)
- Consider a full OS reinstall if you executed the file and can't confirm exactly what ran
A Predictable Target
SEO poisoning attacks against developer tools are not new. Malicious packages impersonating popular npm libraries, fake VS Code extensions, and counterfeit Python installers have all appeared in the past few years. Claude Code is a natural next target - adoption is growing quickly among developers, and Anthropic's brand recognition means people trust results associated with it.
Google has a spotty track record removing these listings quickly. The safest habit going forward is to bookmark docs.anthropic.com directly and never trust search results when downloading developer tooling. Type the URL, don't click the ad or the first organic result.
If you're already using Claude Code installed via npm from the official @anthropic-ai/claude-code package, you're fine - this attack only affects people who went through a search-and-download path.