Cyber Attackers Caught Stealing Developer Secrets

How Are Attackers Evading Detection?

A campaign is underway where attackers are tricking developers into downloading fake Claude Code installers, resulting in stolen secrets. This has been happening since at least May 2026. The attackers are using a new COM interface called IElevator2.

The attackers are creating fake installers that appear to be legitimate Claude Code software. When developers install the fake software, the attackers gain access to sensitive information. The attackers are using this information to steal developer secrets.

Can Security Measures Keep Up?

The attackers are using a new COM interface called IElevator2, which allows them to bypass security measures. This interface is not well-known, making it difficult for security software to detect. As a result, the attackers are able to remain under the radar.

The use of fake installers is a clever tactic, as developers are often in a hurry and may not thoroughly check the authenticity of the software they download. The attackers are taking advantage of this by creating installers that appear to be legitimate.

The attackers are staying one step ahead of security measures by using new and unknown interfaces. This raises questions about the ability of security software to keep up with the evolving tactics of attackers.

Frequently Asked Questions

The consequences of this campaign are severe, as stolen developer secrets can be used to gain access to sensitive information and compromise entire systems. As the attackers continue to evolve their tactics, it is likely that we will see more sophisticated attacks in the future.

What is IElevator2? IElevator2 is a COM interface used by attackers to bypass security measures. It is not well-known, making it difficult to detect. How can developers protect themselves? Developers can protect themselves by thoroughly checking the authenticity of software before downloading it. What are the consequences of stolen developer secrets? Stolen developer secrets can be used to gain access to sensitive information and compromise entire systems.