HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

SEO Poisoning Campaign Impersonates Gemini CLI and Claude Code to Deploy Infostealer on Developer Workstations

Threat actors are using SEO‑poisoning to rank fake Gemini CLI and Claude Code download sites above the legitimate pages. When developers run the provided PowerShell command, an in‑memory infostealer harvests credentials, CI/CD secrets and VPN details, creating a supply‑chain foothold into enterprise environments.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 blog.eclecticiq.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
blog.eclecticiq.com

SEO Poisoning Campaign Impersonates Gemini CLI and Claude Code to Deploy Infostealer on Developer Workstations

What Happened — In March 2026 threat actors began a large‑scale SEO‑poisoning operation that ranks fake domains above the official Gemini CLI and Claude Code download pages. Victims who follow the malicious link execute a PowerShell‑based installer that runs entirely in memory and steals credentials, OAuth tokens, CI/CD secrets, VPN details and files before exfiltrating them encrypted to a C2 server.

Why It Matters for TPRM

  • The attack targets third‑party developer tooling, creating a direct supply‑chain foothold into enterprise networks.
  • Stolen CI/CD and cloud credentials enable lateral movement and persistence across multiple business units.
  • The campaign demonstrates how AI‑coding assistants can be weaponised, expanding the attack surface for vendors that provide developer‑oriented SaaS.

Who Is Affected — Technology / SaaS vendors, cloud‑native development platforms, MSPs that manage developer workstations, and any organisation that allows developers to install Gemini CLI or Claude Code on Windows endpoints.

Recommended Actions

  • Block known typosquatted domains (e.g., geminicli.co.com) at DNS and web‑proxy layers.
  • Enforce strict allow‑list policies for software installation commands on developer machines.
  • Rotate and re‑issue any exposed CI/CD, OAuth, or VPN credentials immediately.
  • Conduct a focused audit of endpoint PowerShell execution policies and enable constrained language mode.

Technical Notes — The payload is delivered via a malicious PowerShell one‑liner, executes in memory, and uses encrypted TLS to exfiltrate data. No known CVE is exploited; the vector is social engineering (SEO poisoning) combined with a trusted‑looking installer script. Data types stolen include Windows credentials, OAuth tokens, CI/CD service keys, VPN configs, and arbitrary files. Source: EclecticIQ Blog

📰 Original Source
https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →