A practical security case study about fake AI tool install pages, clipboard command substitution, and why copy-pasting terminal commands from search results has become a real workstation risk. Introduction This is not a Claude vulnerability. It is not a story about "AI tools are dangerous" either. It is about a much more ordinary problem: developers are used to copying install commands from the browser into the terminal Enter fullscreen mode Exit fullscreen mode Attackers are now abusing that habit. The old phishing pattern was familiar: a fake login page, a malicious attachment, a suspicious document, a password reset email. The newer developer-focused pattern looks different: fake documentation fake install page fake copy button malware instead of install.sh Enter fullscreen mode Exit fullscreen mode The victim does not need to open a suspicious attachment. They search for an AI development tool, click a sponsored result, land on a page that looks like documentation, copy a terminal command, and run it.…