Fake Claude Code Installers, Data Sent to ByteDance, Exposed AI Chats & More | AI & Cybersecurity Last Week

Covering 3/4/26 - 3/9/26

Hi, I’m Jasmine — a Product Security Engineer, and if you know me personally, also a quite bit of a travel bug and matcha enthusiast. I’ve realized how hard it is to keep up with everything happening in cybersecurity, AI, and tech because there’s just so much being put out every day. So every week I share the security-related news and stories I found most interesting or relatable. It helps me stay accountable, and hopefully it helps you stay in the loop too :)

---

AI Research & Vulnerabilities

1. Fake Claude Code Install Pages Are Stealing Your Passwords via Google Ads:

   Push Security researchers uncovered a campaign they are calling InstallFix, where attackers cloned the Claude Code installation page down to its branding and layout, swapping only the install commands to point to attacker-controlled servers delivering the Amatera infostealer. The fake pages are distributed exclusively through Google-sponsored search results targeting queries like “Claude Code install,” and any further clicks on the page redirect to the legitimate site to avoid raising suspicion. Amatera harvests browser-saved passwords, cookies, and session tokens, and uses techniques including direct NTSockets for command-and-control and multi-stage payload delivery to evade antivirus and endpoint detection tools

2. Fake OpenClaw Installers on GitHub Are Deploying Infostealer Malware and a Ransomware Proxy Tool:

   Huntress researchers investigated malicious GitHub repositories posing as OpenClaw installers that were active between February 2 and 10, 2026, and were promoted directly through Bing AI search results for the query “OpenClaw Windows.” The fake installers deployed multiple information stealers including Vidar and PureLogs Stealer via a novel packer called Stealth Packer, which injects payloads into memory, creates hidden scheduled tasks, and checks for mouse movement to evade virtual machine detection. The installers also dropped GhostSocks, which routes attacker traffic through the victim’s machine to bypass MFA and anti-fraud checks when using stolen credentials.

3. Malicious AI Assistant Browser Extensions Are Quietly Stealing Your Work Conversations:

   Microsoft Defender investigated malicious Chromium-based browser extensions impersonating legitimate AI assistant tools, which accumulated approximately 900,000 installs and were detected across more than 20,000 enterprise tenants. The extensions collected full URLs and AI chat content from platforms including ChatGPT and DeepSeek, then transmitted the data to attacker-controlled domains including deepaichats[.]com and chatsaigpt[.]com. Even if users initially declined data collection, subsequent extension updates automatically re-enabled telemetry without clear user notification, giving the threat actor continuous access to browsing activity and sensitive AI conversations.

4. A Calendar Invite Is All It Takes to Steal Your Local Files in Perplexity Comet:

   Zenity Labs disclosed a vulnerability dubbed PerplexedBrowser affecting Perplexity Comet, an agentic browser that autonomously reads page content, interprets instructions, and takes actions on behalf of users. An attacker can embed malicious instructions inside a calendar invite, which hijacks the browser agent’s intent during a routine task like accepting a meeting, granting silent read access to the user’s local file system and enabling exfiltration of credentials, SSH keys, API tokens, and personal documents to attacker-controlled endpoints in under a minute. The vulnerability has since been fixed.

---

AI News

1. Anthropic’s Red Team Used Claude to Find 14 High-Severity Bugs Hidden in Firefox:

   Anthropic’s Frontier Red Team used Claude to identify security vulnerabilities in Firefox’s JavaScript engine, surfacing over a dozen verifiable bugs with reproducible test cases that Mozilla engineers were able to validate and patch within hours. In total, the collaboration uncovered 14 high-severity bugs and resulted in 22 CVEs, plus 90 additional lower-severity findings, all of which have been fixed in Firefox 148. Mozilla noted that while many lower-severity issues overlapped with what traditional fuzzing tools would catch, Claude also identified distinct classes of logic errors that fuzzers had not previously uncovered despite decades of extensive security review. Anthropic’s version: https://www.anthropic.com/news/mozilla-firefox-security

2. OpenAI Launches Codex Security to Automatically Find and Fix Vulnerabilities in Your Codebase:

   OpenAI launched Codex Security, an AI security agent that scans code repositories to identify, validate, and propose fixes for vulnerabilities, now available in research preview to ChatGPT Pro, Enterprise, Business, and Edu customers with free access for the first month. The tool builds a project-specific threat model by analyzing a repository’s structure, uses that context to search for vulnerabilities ranked by real-world impact, then pressure-tests findings in a sandboxed environment to reduce false positives before surfacing actionable patches.

3. AI Has Not Caused a Measurable Spike in Unemployment Yet, But Hiring for Young Workers Is Slowing:

   Anthropic researchers introduced a new metric called observed exposure, which combines theoretical LLM capability with real-world Claude usage data to measure which jobs are actually being automated rather than just which ones could theoretically be affected, finding that computer programmers, customer service representatives, and data entry keyers are currently the most exposed occupations. Analyzing US labor data since ChatGPT’s release in late 2022, the researchers found no statistically significant increase in unemployment among the most AI-exposed workers, though they did find suggestive evidence that the monthly job-finding rate for workers aged 22 to 25 entering high-exposure occupations has dropped by roughly 14 percent compared to 2022 levels. The study also found that workers in the most exposed occupations tend to skew older, female, more educated, and higher-paid, and that BLS employment growth projections through 2034 are modestly weaker for jobs with higher observed exposure.

---

Cybersecurity Research & Vulnerabilities

1. Duolingo, BeReal, and 38 Other Apps Are Sending Your Device Data to ByteDance with Fake Encryption:

   A security researcher reverse-engineered ByteDance’s Pangle advertising SDK and found that over 40 popular apps including Duolingo, BeReal, and Character.AI are transmitting detailed device fingerprints to ByteDance servers, including battery level, storage capacity, screen brightness, internal IP address, and persistent device identifiers. The SDK’s encryption scheme embeds both the AES-256 key and IV directly inside every message, making it trivially decryptable by anyone who downloads the publicly available SDK, with the researcher achieving a 100% success rate across all 694 captured payloads. Notably, ByteDance applies genuinely strong encryption to its ad revenue and impression data while using the breakable scheme only for user device telemetry.

2. An AI Agent Found a SQL Injection in McKinsey's Internal AI Platform and Accessed 46 Million Employee Messages in Two Hours:

   Security firm CodeWall ran its autonomous offensive agent against McKinsey's internal AI platform Lilli, used by over 43,000 employees, and within two hours the agent had exploited an unauthenticated SQL injection vulnerability to gain full read and write access to the production database, exposing 46.5 million chat messages, 728,000 files, and 57,000 user accounts. The injection was found in an unprotected endpoint where JSON field names were concatenated directly into SQL queries, a flaw that McKinsey's own internal scanners and OWASP ZAP both missed. Because Lilli's AI system prompts were stored in the same database, an attacker with write access could have silently rewritten the instructions controlling how the AI behaves, without any code deployment or log trail, potentially poisoning advice flowing to consultants and their clients. McKinsey patched the vulnerabilities on March 2 after CodeWall submitted responsible disclosure.

3. The iPhone Exploit Kit That Got Passed Around to Three Different Hacker Groups:

   Google Threat Intelligence Group identified a sophisticated iOS exploit kit called Coruna containing 23 exploits across five full exploit chains, targeting iPhones running iOS 13.0 through 17.2.1, which first appeared in early 2025 in the hands of a commercial surveillance vendor customer before being observed in watering hole attacks against Ukrainian websites by suspected Russian espionage group UNC6353, and later recovered in full from fake Chinese cryptocurrency and finance websites operated by financially motivated threat actor UNC6691. The kit’s ending payload, named PLASMAGRID, injects itself into a root-level iOS daemon and deploys modules targeting 18 cryptocurrency wallet apps including MetaMask, Phantom, and Trust Wallet, with all module code logged in Chinese and containing comments consistent with LLM-assisted development. Google says the kit is not effective against the latest version of iOS and urges users to update immediately or enable Lockdown Mode.

4. This Fake Mac Cleaning App Steals Your Passwords and Then Permanently Backdoors Your Crypto Wallets:

   A fake CleanMyMac site at cleanmymacos[.]org instructs visitors to paste a Terminal command that installs SHub Stealer, an AppleScript-based infostealer that harvests browser passwords, Apple Keychain contents, and Telegram sessions, while also scanning for 102 cryptocurrency wallet browser extensions and 23 desktop wallet apps. What sets SHub apart from typical infostealers is that it goes a step further for five wallets: Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite are silently backdoored by replacing their core application logic file, so every subsequent unlock sends the user’s password and seed phrase to attacker-controlled infrastructure, even after the initial infection has been cleaned up. The malware also installs a persistent LaunchAgent disguised as Google’s Keystone updater that beacons every 60 seconds and can execute remote commands indefinitely.

---

Cybersecurity News

1. The FBI Is Warning About Scammers Impersonating Local Government Officials to Steal Permit Fees:

   The FBI issued an alert about a phishing scheme targeting individuals and businesses with active land-use permit applications, where criminals impersonate city and county planning officials and send convincing emails that include accurate details like property addresses, case numbers, and real officials' names pulled from public records. Victims are then presented with fake invoices and directed to pay via wire transfer, peer-to-peer payment, or cryptocurrency, with emails deliberately avoiding phone contact to prevent victims from calling the actual government office to verify. The FBI advises anyone who receives an unsolicited payment request related to a permit to call the city or county directly using a phone number from the official government website before sending any money.

2. Hackers Are Posing as IT Support on Microsoft Teams to Install a New Backdoor on Your Computer:

   BlueVoyant researchers identified a campaign active since at least August 2025 in which attackers flood a target's inbox with spam, then contact them via Microsoft Teams posing as IT support and request remote access through Windows Quick Assist. Once in, they drop a new backdoor called A0Backdoor inside fake Microsoft Teams installer packages, signed with legitimate-looking certificates to avoid raising flags. The backdoor communicates back to attackers by routing traffic through public DNS servers like 1.1.1.1 rather than connecting directly to attacker infrastructure, a technique designed to blend in with normal network activity and bypass common security monitoring.

3. The FBI Confirmed Its Own Surveillance Network Was Hit in a Cyberattack:

   The FBI confirmed it identified and responded to suspicious activity on its internal networks, with sources telling CBS News the targeted system is the bureau’s Digital Collection Systems Network, a suite of software used to conduct wiretaps, pen registers, and other real-time surveillance operations. The FBI did not disclose when the incident occurred, who was responsible, or whether any data was compromised. The bureau’s statement came amid ongoing fallout from the 2024 Salt Typhoon campaign, in which Chinese state-sponsored hackers breached multiple US telecommunications companies and systems used by US intelligence to conduct wiretaps.

👉 Like this post + subscribe to catch next week’s roundup!