Claude.ai Shared Chats Deliver MacSync Stealer to 2000+ Victims via ClickFix

Claude abuse combined with ClickFix lures represents a direct exploitation of AI platform trust. Attackers hijacked searches for developer tools, then shifted hosting to claude.ai domains to bypass filters. The payload chain delivered fileless macOS AppleScript stagers that harvested keychain data and trojanized crypto wallets. Parallel campaigns used NastyC2 npm packages for supply chain persistence and device-code phishing against cloud tenants. Netskope telemetry and extension scans documented 23 deceptive Chrome extensions affecting 758,000 users alongside the AI vector. Technical artifacts show consistent Russian-speaking infrastructure patterns across macOS and npm components. Official vendor statements emphasize platform safety features while procurement records reveal no corresponding detection investments in shared chat abuse monitoring. The pattern reveals AI interfaces treated as open infrastructure rather than hardened trust boundaries. Mainstream reporting isolates Claude incidents from npm and phishing vectors, missing the convergent operational model where one campaign tests multiple delivery paths. Evidence trails from contract awards indicate defenders prioritize endpoint tools over resolver-level controls. Next phase will likely involve scaled use of legitimate AI domains for C2 callbacks once initial delivery succeeds. Organizations should monitor claude.ai referrer traffic and enforce strict allow lists on npm provenance.