You type "claude download mac" into Google. You click the top result (sponsored ad, verified badge, URL is claude.ai). You land on a shared Claude chat titled "Running Claude Code on Mac", tagged "Shared by Apple Support" in the top right corner, with a bash command to paste into Terminal. Thirty seconds later, your Keychain is on a server in Sydney. No falsified URL anywhere in the chain. No typo-squat. No fake domain. TLDR: A live malware campaign this week uses verified Google Ads and claude.ai shared chats to drain Mac Keychains . Nothing in the chain is technically fake. That's the part that should worry you. The scammers keep getting better at this. Let me walk you through what happened, because every single step of this attack looks legitimate until you understand what "legitimate" actually means in 2026. 15,600 Macs, One Google Search, One Pasted Line Malware Chain: One Fake Step Among Five Real Ones The campaign was first flagged by Berk Albayrak, a security engineer at Trendyol, on May 9.…