{"slug": "seo-poisoning-distributes-fake-gemini-and-claude-installers", "title": "SEO Poisoning Distributes Fake Gemini and Claude Installers", "summary": "Security researchers at EclecticIQ identified an SEO poisoning campaign in early March 2026 that used typosquatted domains to impersonate Gemini CLI and Claude Code installation pages. Victims who copied a PowerShell command from these fake pages executed a fileless infostealer that harvests browser cookies, session tokens, OAuth tokens, CI/CD credentials, VPN keys, and files, with exfiltration observed to domains such as events.msft23.com. The campaign raises targeted supply-chain and developer-workstation risk for enterprises by exploiting search rankings and typosquatting to reach developer endpoints at scale.", "body_md": "# SEO Poisoning Distributes Fake Gemini and Claude Installers\n\nSecurity researchers at **EclecticIQ** identified an SEO poisoning campaign in **early March 2026** that used typosquatted domains to impersonate Gemini CLI and Claude Code installation pages, according to EclecticIQ's report and coverage by **Infosecurity Magazine** and **SOC Prime**. Victims who copied a PowerShell command from these fake pages executed an in-memory infostealer that harvests browser cookies, session tokens, OAuth tokens, CI/CD credentials, VPN keys, and files, with exfiltration observed to domains such as events.msft23.com, per EclecticIQ and SOC Prime. **GBHackers** observed the payload running while the legitimate Gemini CLI was installed via npm, masking the compromise. Editorial analysis: this technique raises targeted supply-chain and developer-workstation risk for enterprises and increases the importance of guarding against copy-paste installation commands.\n\n### What happened\n\n**EclecticIQ** researchers identified an SEO poisoning campaign in **early March 2026** that used typosquatted domains to impersonate Gemini CLI and Claude Code installation pages, per the EclecticIQ report (blog.eclecticiq.com). **Infosecurity Magazine** and **SOC Prime** corroborated the activity in independent reporting, noting the campaign surfaced fake domains above legitimate search results. Independent researcher @g0njxa first flagged the Gemini CLI impersonation on April 21, 2026, according to Infosecurity Magazine.\n\nObserved attacker-controlled domains include geminicli.co.com, gemini-setup.com, claudecode.co.com, and claude-setup.com, and exfiltration was observed to domains such as events.msft23.com, as documented by **GBHackers**, **EclecticIQ**, and **SOC Prime**. The malicious landing pages instruct developers to copy a single PowerShell command; executing that command launches a fileless infostealer that runs entirely in memory via PowerShell, according to EclecticIQ and SOC Prime.\n\n### Technical details (reported)\n\nSOC Prime and EclecticIQ detail an infection chain that uses irm | iex (Invoke-RestMethod piped to Invoke-Expression) to fetch a first-stage PowerShell string, then launches a hidden PowerShell window via Shell.Application.ShellExecute and loads additional C# types using Add-Type P/Invoke calls to extract credentials. The payload targets Chromium-family browsers and Firefox to harvest login credentials, session cookies, autofill data, and form history, and it enumerates and exfiltrates artifacts from collaboration apps such as Slack, Microsoft Teams, Discord, Zoom, Telegram Desktop, Notion, and others, according to EclecticIQ and Infosecurity Magazine. **GBHackers** observed that the malicious chain also installs the legitimate Gemini CLI via npm while the infostealer runs, creating an appearance of a successful install.\n\n### Industry context\n\nEditorial analysis: SEO poisoning is a well-established eCrime technique; observers in the reporting frame this campaign as an extension of that pattern specifically targeting developer tooling and AI assistants. Companies relying on search to locate installation instructions expose a predictable attack surface: attackers can monetize search rankings and typosquatting to reach developer workstations at scale. For defenders, the combination of fileless execution, DPAPI-targeting extraction, and token harvests makes these compromises valuable for follow-on intrusions into enterprise networks.\n\n### Context and significance (reported + analysis)\n\nEclecticIQ warns that the campaign harvests OAuth tokens, CI/CD credentials, VPN details, and sensitive files and provides arbitrary remote code execution capability that adversaries can use for hands-on-keyboard intrusions, per the EclecticIQ report. Infosecurity Magazine quoted EclecticIQ: \"The stealer's collection scope reveals a deliberate focus on enterprise users and developer workstations.\" Editorial analysis: credential and token theft from developer endpoints is high-value because it can translate to lateral movement and supply-chain access in target environments.\n\n### What to watch\n\nFor practitioners: monitor for indicators documented by SOC Prime and EclecticIQ, including irm | iex PowerShell patterns, hidden PowerShell windows, suspicious Add-Type use, and outbound requests to *-setup.com domains and events.*.com hostnames. Detection rules should correlate PowerShell execution with browser process activity and network connections to unusual domains. Observers should also watch for additional typosquatted domains and SEO manipulation that racks up search visibility for developer-focused keywords.\n\nEditorial analysis: defenders and developer teams should treat copy-paste installation commands from untrusted search results as a recurring threat vector. The reported tactic of installing a legitimate CLI while running a malicious payload illustrates how attackers can blend into normal developer workflows to delay detection.\n\n### Bottom line\n\nThis multi-source reporting from **EclecticIQ**, **Infosecurity Magazine**, **GBHackers**, and **SOC Prime** describes an active SEO poisoning campaign that targets AI developer tooling to deliver an in-memory infostealer. The operation's focus on tokens and developer credentials creates a direct path to enterprise access, elevating the operational risk for organizations that rely on developers' machines for CI/CD and cloud access.\n\n## Scoring Rationale\n\nMultiple security shops reported a targeted campaign stealing developer credentials and tokens, which materially raises enterprise risk and defender workload. The methods are notable but not a new class of attack, so importance is high but not sector-changing.\n\nPractice interview problems based on real data\n\n1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.\n\n[Try 250 free problems](/problems)", "url": "https://wpnews.pro/news/seo-poisoning-distributes-fake-gemini-and-claude-installers", "canonical_source": "https://letsdatascience.com/news/seo-poisoning-distributes-fake-gemini-and-claude-installers-34ef26bf", "published_at": "2026-05-26 11:14:07.230099+00:00", "updated_at": "2026-05-26 11:14:10.331732+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-products", "generative-ai", "ai-infrastructure"], "entities": ["EclecticIQ", "Gemini CLI", "Claude Code", "Infosecurity Magazine", "SOC Prime", "GBHackers", "events.msft23.com", "g0njxa"], "alternates": {"html": "https://wpnews.pro/news/seo-poisoning-distributes-fake-gemini-and-claude-installers", "markdown": "https://wpnews.pro/news/seo-poisoning-distributes-fake-gemini-and-claude-installers.md", "text": "https://wpnews.pro/news/seo-poisoning-distributes-fake-gemini-and-claude-installers.txt", "jsonld": "https://wpnews.pro/news/seo-poisoning-distributes-fake-gemini-and-claude-installers.jsonld"}}