Fake AI Installers: When "Installing Claude" Turns Into Running Malware

# ~/.bashrc or ~/.zshrc
alias curl='curl --fail --location --show-error'
alias sh='echo "Warning: Direct execution blocked. Use verified script execution

."'

Implement a wrapper that fetches scripts, validates checksums, and executes in a restricted environment:
```bash
verify_and_run() {
  local url="$1"
  local expected_hash="$2"
  local tmp_script=$(mktemp)
  
  curl -fsSL "$url" -o "$tmp_script"
  local actual_hash=$(shasum -a 256 "$tmp_script" | awk '{print $1}')
  
  if [ "$actual_hash" != "$expected_hash" ]; then
    echo "Checksum mismatch. Aborting execution."
    rm -f "$tmp_script"
    exit 1
  fi
  
  bash "$tmp_script"
  rm -f "$tmp_script"
}

2. Clipboard Security & JavaScript API Hardening

Documentation sites must prevent clipboard manipulation. Implement the following:

• Disable navigator.clipboard.writeText() for untrusted origins via Content Security Policy (CSP)
• Use document.execCommand('copy') fallbacks with explicit user gesture validation
• Add clipboard-write permission prompts in modern browsers
• Deploy Subresource Integrity (SRI) hashes on all external scripts to prevent DOM manipulation

3. EDR/Detection Rules for LoLBins

Configure endpoint detection to monitor behavior, not just binaries:

# Sigma-style detection rule for InstallFix chains
title: Suspicious mshta/PowerShell Stager Execution
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    ParentImage: 
      - 'C:\Windows\System32\mshta.exe'
      - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
    CommandLine|contains:
      - 'Base64'
      - 'DownloadString'
      - 'IEX'
      - 'amsiutils'
  condition: selection
falsepositives:
  - Legitimate software installers
level: high

4. Architecture Decision: Shift from curl | sh to Package Managers

The familiar pattern is:

curl -fsSL https://example.com/install.sh | sh

or:

curl -fsSL https://example.com/install.sh | zsh

This convenience is the vulnerability. Architecturally, organizations should mandate:

• Package managers (brew, apt, winget, npm) for AI tooling
• Internal artifact repositories with signed binaries
• Terminal paste inspection tools (e.g., clipcheck, terminal-verify plugins)

On Windows, these campaigns often use living-off-the-land binaries. A simplified infection chain can look like this:

browser / user paste
  -> PowerShell
  -> mshta.exe
  -> remote HTA or script
  -> cmd.exe or PowerShell stager
  -> fileless payload
  -> persistence or credential theft

Detection must focus on the behavioral sequence: clipboard paste → PowerShell/mshta invocation → network fetch → AMSI bypass attempt → credential access.

Pitfall Guide

1. Trusting the UI Copy Button Over Pasted Text: JavaScript can intercept copy events and replace clipboard content with attacker-controlled URLs. Always paste into a plain-text editor or use pbpaste/clip to verify before executing.
2. Assuming Sponsored Search Results Are Vetted: Google Ads and malvertising bypass organic SEO filters. Attackers register plausible domains (claude-code-docs.example) and purchase top placements. Verify documentation through official GitHub repos or vendor channels.
3. The curl | sh Convenience Trap: Piping remote scripts directly to a shell removes inspection capability. The trust boundary shifts from code verification to UI trust, which is easily subverted. Always download, inspect, and verify checksums.
4. Ignoring Living-Off-the-Land Binary (LoLBins) Chains: mshta.exe, powershell, and curl are trusted system utilities. EDR must monitor command-line arguments, encoded payloads, and process trees rather than relying on file reputation.
5. Bypassing Formal Software Approval for AI Tooling: Rapid adoption of AI assistants often skips internal vetting. Unmonitored CLI tools create blind spots for DLP and EDR. Enforce software inventory tracking for all developer tooling.
6. Relying on Domain Reputation Alone: Attackers use freshly registered domains with high-fidelity branding. Reputation scores are meaningless for zero-day campaign infrastructure. Validate against official vendor documentation and cryptographic signatures.

Deliverables

📘 InstallFix Defense Blueprint

A comprehensive architecture guide covering terminal verification workflows, EDR rule deployment for LoLBin chains, browser security hardening (CSP, SRI, clipboard API restrictions), and developer onboarding protocols for AI tooling adoption.

✅ Terminal Command Verification Checklist

• Paste commands into a text editor before execution
• Verify domain matches official vendor documentation
• Check for curl | sh patterns and replace with download-verify-execute
• Validate script checksums against official release pages
• Ensure EDR monitors mshta, powershell, and curl process trees
• Disable clipboard-write permissions on untrusted documentation sites
• Route AI tool installations through internal package managers or artifact repos

⚙️ Configuration Templates

• Shell Override Profile: Safe aliases and verify_and_run wrapper for bash/zsh
• EDR Detection Rules: Sigma/YARA templates for InstallFix stager behavior
• CSP & SRI Headers: Nginx/Apache configurations to block clipboard hijacking
• Browser Extension Policy: Allowlist for clipboard inspection and paste-verification tools