Fake Claude Code takes the IElevator to your browser secrets
Summary
Attackers are distributing fake Claude Code installers that deliver malware designed to steal sensitive data from developer systems by evading detection and recovering browser encryption keys. The malware uses a PowerShell loader (a script-based delivery method) to hide malicious activities and exploits Chrome Elevation Services to bypass Application-Bound Encryption (ABE, a Chrome protection added in version 127 to prevent password and cookie theft).
Solution / Mitigation
Ontinue researchers shared a YARA ruleset (a tool for identifying malware by pattern matching) and indicators of compromise (IOCs, technical signatures that identify malicious activity) through GitHub repositories to support detection.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4169992/fake-claude-code-takes-the-ielevator-to-your-browser-secrets.html
First tracked: May 12, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 92%