Fake AI Installers Target Developers Arabian Post

2026-05-24 02:10:32

(MENAFN- The Arabian Post) clearfix">Cybercriminals are exploiting demand for AI coding tools by pushing fake Gemini CLI and Claude Code installation pages into search results, using the sites to deliver a fileless PowerShell infostealer aimed at developer workstations.

The campaign, active since early March 2026, marks a sharper turn in financially motivated attacks against software teams as AI assistants become embedded in daily coding workflows. The attackers are not merely imitating well-known brands; they are copying the installation habits developers already trust, then using those habits to harvest credentials, tokens and corporate access.

The operation relies on SEO poisoning, a technique that manipulates search visibility so malicious pages appear ahead of legitimate results for queries linked to popular tools. Developers searching for Gemini CLI or Claude Code installation instructions are directed to domains designed to resemble genuine documentation pages. Those pages present a familiar command-line installation flow, urging users to copy and paste a PowerShell command into a terminal.

Once executed, the command launches a hidden PowerShell process and retrieves a second-stage payload directly into memory. That fileless approach reduces the chance of detection by tools focused on files written to disk. The malware then begins collecting browser credentials, cookies, OAuth tokens, CI/CD secrets, VPN details, system information and sensitive local files before sending the data to attacker-controlled infrastructure.

The deception is strengthened by a particularly effective tactic: the fake Gemini installer also runs the genuine npm command for Google's official package. Victims therefore see a successful installation process, complete with normal terminal output, while the stealer runs silently in the background. That overlap between legitimate and malicious activity makes the infection harder for non-specialist users to spot.

See also Compliance lures expose Microsoft account risks

The Claude Code impersonation appears to follow the same operational pattern. Domains registered at the end of March were built around plausible tool names and installer language, with cloned pages that imitated official documentation and delivered a similar PowerShell-based payload. Infrastructure naming patterns, command behaviour and payload logic suggest a common operator or shared toolkit behind both the Gemini and Claude Code lures.

The campaign highlights a growing weakness in software supply chains: developer endpoints often hold privileged access to source repositories, cloud dashboards, package registries and deployment systems. A single compromised workstation can provide a route into broader corporate systems, particularly where session tokens, API keys and build credentials are stored locally.

AI coding tools have expanded the attack surface because adoption has moved faster than verification habits. Gemini CLI and Claude Code are designed to sit close to codebases, terminals and development environments. Attackers are exploiting that position by turning the installation process itself into the delivery mechanism.

The pattern also reflects a wider shift towards attacks that borrow from ClickFix and InstallFix social engineering. Instead of sending a conventional attachment or link, the attacker persuades the user to run the infection manually. The page looks professional, the command resembles normal developer practice, and the victim provides the execution step that security systems may otherwise block.

Security teams are being urged to treat command-line telemetry as a priority detection source. Suspicious combinations such as Invoke-RestMethod piped into Invoke-Expression, hidden PowerShell windows, Shell. Application execution and outbound connections immediately after terminal activity are important warning signs. Domains using typosquatted tool names, unusual co. com structures or installer-themed hostnames also merit scrutiny.

See also Bamboo flaw opens a dangerous pipeline gap

Preventive controls are likely to become more important as attackers expand the technique across more developer brands. PowerShell Constrained Language Mode, Windows Defender Application Control, AppLocker rules, short-lived tokens, FIDO-based authentication and stricter browser clipboard policies can reduce the impact of this type of attack. Security teams also need to review how much sensitive material is stored on workstations used for coding and deployment.

Developers remain the central target because they are both technically capable and accustomed to executing one-line install commands. That routine trust is precisely what the campaign abuses. Verification of package names, vendor domains and repository ownership is now a practical supply-chain defence, not a procedural formality.

Official installation paths remain the safest route. Gemini CLI is distributed through Google-linked documentation and repositories, while Claude Code is available through Anthropic's documented npm package and supported platforms. Any installer that requires an unexplained PowerShell command from an unfamiliar domain should be treated as hostile until verified independently.

MENAFN24052026000152002308ID1111161942

Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.