SEO Poisoning Campaign Impersonates Gemini CLI and Claude Code to Deploy Infostealer on Developer Workstations
What Happened — In March 2026 threat actors began a large‑scale SEO‑poisoning operation that ranks fake domains above the official Gemini CLI and Claude Code download pages. Victims who follow the malicious link execute a PowerShell‑based installer that runs entirely in memory and steals credentials, OAuth tokens, CI/CD secrets, VPN details and files before exfiltrating them encrypted to a C2 server.
Why It Matters for TPRM —
- The attack targets third‑party developer tooling, creating a direct supply‑chain foothold into enterprise networks.
- Stolen CI/CD and cloud credentials enable lateral movement and persistence across multiple business units.
- The campaign demonstrates how AI‑coding assistants can be weaponised, expanding the attack surface for vendors that provide developer‑oriented SaaS.
Who Is Affected — Technology / SaaS vendors, cloud‑native development platforms, MSPs that manage developer workstations, and any organisation that allows developers to install Gemini CLI or Claude Code on Windows endpoints.
Recommended Actions —
- Block known typosquatted domains (e.g.,
geminicli.co.com) at DNS and web‑proxy layers. - Enforce strict allow‑list policies for software installation commands on developer machines.
- Rotate and re‑issue any exposed CI/CD, OAuth, or VPN credentials immediately.
- Conduct a focused audit of endpoint PowerShell execution policies and enable constrained language mode.
Technical Notes — The payload is delivered via a malicious PowerShell one‑liner, executes in memory, and uses encrypted TLS to exfiltrate data. No known CVE is exploited; the vector is social engineering (SEO poisoning) combined with a trusted‑looking installer script. Data types stolen include Windows credentials, OAuth tokens, CI/CD service keys, VPN configs, and arbitrary files. Source: EclecticIQ Blog