The safe way to install Claude Code on Windows
Claude Code is a real product. Anthropic's official setup documentation lists several supported install paths for Windows, including PowerShell, CMD, WinGet, and the desktop app. It also notes that native Windows CLI use requires Git for Windows or WSL, and that running PowerShell as Administrator is not necessary.
Start from here and nowhere else:
The official Windows install paths currently documented by Anthropic include a PowerShell script at https://claude.ai/install.ps1 and a WinGet command:
winget install Anthropic.ClaudeCodeA Windows CMD installer path is also listed in the docs. The rule is simple: go to Anthropic's own setup page, read the current commands there, and use only those. Do not start from a search result, a blog post that copied the command, or a third-party repository claiming to package Claude Code more conveniently. The official product exists. The official docs exist. That is the clean path.
What the March 2026 campaign actually did
In March 2026, Push Security, Bitdefender, and Malwarebytes each published findings describing attacks that cloned the Claude Code installation page, distributed it through sponsored search results, and replaced the legitimate install command with a malicious one.
Push Security reported that attackers closely replicated the Claude Code installation page — visually indistinguishable to most users — and substituted the install command so that it fetched malware from attacker-controlled infrastructure instead of Anthropic's servers. The fake pages were promoted through paid search results for queries including "Claude Code," "Claude Code install," and "Claude Code CLI."
Bitdefender's reporting described one fake documentation page hosted on a Squarespace subdomain. On Windows, victims executed the malicious payload via mshta.exe — standard Windows tooling, nothing that would trigger obvious alarm. Malwarebytes made the broader point most clearly: developer install guides have trained users to trust single-line terminal commands copied from websites, and that habit turns the install page itself into an attack surface. The command can be real or fake; the page determines which one you get.
What makes this effective is that it does not ask the victim to do anything that looks reckless. It asks them to do something routine. That is the entire mechanism.
The checks that actually matter
The useful defence is procedural, not technical. Check the domain before you read the instructions. If you are not on Anthropic's own Claude Code setup page, you are already off the clean path. The official docs show the current install methods and the current Windows commands. That is what you compare everything else against.
Treat these as warning signs worth stopping for: pages that ask you to trust a mirror or a "community build"; repositories claiming to package Claude Code in a more convenient form; pages that look polished but are hosted on unrelated domains or third-party subdomains; install instructions that differ from what the official docs currently show.
None of those signals proves malice on their own. But the March 2026 reporting described exactly that pattern. The safer rule is: if the page is not Anthropic's own setup page, stop and verify the commands against the official docs before running anything. That verification takes under a minute and eliminates the risk entirely.
Open-source alternatives worth knowing
Open source does not mean safe. It means the code is available to inspect. Most users will not inspect it in any depth, and even experienced developers rarely audit the full supply chain. That said, the scam-distribution risk that applies to fake Claude Code pages is lower for established open-source projects with stable repositories and visible maintainer histories. The relevant risks are different: what the tool can do inside your environment, and who controls the update path.
Aider
Aider describes itself as AI pair programming in your terminal. Its GitHub repository is at github.com/aider-ai/aider, links to aider.chat, and carries an Apache-2.0 licence. It supports both cloud and local LLM use. For developers who want a serious open-source terminal coding assistant rather than a closed vendor product, it is a reasonable starting point.
Cline
Cline is an autonomous coding agent that runs inside your IDE. Its repository at github.com/cline/cline carries an Apache-2.0 licence and a visible security policy. It can create and edit files, execute terminal commands, and use the browser — all with user permission. That scope warrants a stricter level of scrutiny than a passive autocomplete plugin.
Goose
Goose is an open-source project from Block. Its repository at github.com/block/goose describes it as a local, extensible AI agent for automating engineering tasks. Apache-2.0 licence, a security policy, and current releases are all visible. It is a plausible choice for users who want a more local-first setup.
OpenHands
OpenHands presents itself as an AI-driven development environment with MIT-licensed core components. Its repository is at github.com/OpenHands/OpenHands. Its own documentation recommends Docker as the default local runtime, which provides stronger isolation than a bare install — relevant for teams who want more runtime control.
Continue
Continue describes itself as source-controlled AI checks enforceable in CI, powered by an open-source CLI. The repository at github.com/continuedev/continue shows an Apache-2.0 licence, a security policy, and public install instructions. It sits across CLI, CI checks, and editor integrations.
Closed-source alternatives that are real
Some users do not care whether the alternative is open-source. They want a real product from a real vendor with a normal, verifiable distribution path. These five fit that description.
| Tool | Vendor | Official URL | What to keep in mind |
|---|---|---|---|
| Cursor | Anysphere | cursor.com | AI coding IDE with clear vendor distribution. The trade-off is vendor-controlled environment with significant code context. |
| Windsurf | Codeium | windsurf.com/editor | AI-driven coding environment with deep codebase awareness. Convenience can make users too relaxed about permissions and review. |
| GitHub Copilot | GitHub (Microsoft) | github.com/features/copilot | Mainstream coding assistant with agentic features now available. Cloud- and platform-centric, not local-first. |
| Gemini Code Assist | codeassist.google | Free individual tier available. Google's own documentation notes the system can produce plausible but incorrect output — validate results before use. | |
| Amazon Q Developer | AWS | aws.amazon.com/q/developer | Generative AI for AWS application development. Free tier available. Makes most immediate sense for teams already in AWS-heavy workflows. |
What makes the most sense
If you want Claude Code itself, the safe answer is the official Anthropic setup page: code.claude.com/docs/en/setup. Start there, use only the commands listed there, and you have no exposure to the scam campaigns described above.
If you want an open-source alternative, Aider is a reasonable starting point for terminal-based coding assistance. Cline is worth considering if you want something more agentic inside an editor, with the caveat that its permissions warrant careful review. Goose makes sense if local-first operation matters to you. OpenHands is more relevant if you want stronger runtime isolation and can manage the additional setup complexity. Continue belongs in the mix if CI-integrated AI checks are part of what you actually need.
If open-source is not a priority and you mainly want a real vendor product with a standard distribution path, Cursor, Windsurf, GitHub Copilot, Gemini Code Assist, and Amazon Q Developer are all cleaner options than searching for "Claude Code alternatives" in a browser that may return sponsored fake pages.
The mistake to avoid is not "using AI coding tools." It is treating the install path as an afterthought. The product can be entirely legitimate, and the install page can still be fake. That gap is what the March 2026 campaign exploited — and it will be exploited again as long as developers trust terminal commands on the basis of how a page looks rather than where it is hosted.
Is Claude Code itself safe to use?
Yes. Claude Code is a legitimate product from Anthropic. The risk is not in the product — it is in fake install pages that distribute malware under the product's name. Installing from Anthropic's official docs removes that risk entirely.
How do I tell a fake install page from the real one?
Check the domain. The real setup documentation is on Anthropic's own infrastructure. If the page you are reading is not hosted there, treat it as unverified and check the commands against the official docs before running anything. Visual appearance alone is not a reliable signal — the March 2026 fakes were closely matched to the genuine pages.
Do I need to run PowerShell as Administrator to install Claude Code?
No. Anthropic's own documentation states explicitly that Administrator mode is not required for the Windows install paths.
Are the open-source alternatives safer than Claude Code?
They carry different risks, not necessarily lower ones. The scam-distribution risk that produced fake Claude Code pages is less likely to affect well-established open-source projects with stable, public repositories. But the operational risk — what the tool can access and do once installed — is real for any agentic coding tool, open-source or otherwise. Review permissions carefully regardless of licence.