SEO-Poisoning Campaign Delivers Fake Gemini CLI and Claude Code Installers - EclecticIQ

EclecticIQ identified an SEO-poisoning campaign in early March 2026 that ranked typosquatted domains impersonating the Gemini CLI and Claude Code installation pages, then used them to deliver a fileless Windows infostealer. The fake pages told developers to paste a single PowerShell command that harvested the same credentials AI CLIs themselves use. This advisory covers what EclecticIQ disclosed, why a fake-installer campaign lands on the agentic-endpoint layer, and how to inventory and govern the CLIs and secrets it targets.

What happened

EclecticIQ tracked an SEO-poisoning campaign that pushed malicious domains to the top of search results for developers looking to install the Gemini CLI and Claude Code. The fake landing pages - including geminicli.co.com, gemini-setup.com, claudecode.co.com, and claude-setup.com - copied the real installation pages and told the visitor to copy a single PowerShell command into a terminal. Running it launched a fileless infostealer that executed entirely in memory, so no installer file landed on disk for an on-access scan to catch.

To avoid suspicion, observed cases then installed the legitimate Gemini CLI via npm, so the victim saw a working tool while the stealer ran behind it. The malware harvested browser cookies, session tokens, OAuth tokens, CI/CD credentials, VPN keys, and files, exfiltrating them to attacker domains such as events.msft23.com. Pivoting on passive DNS, analysts uncovered a cluster of more than 30 malicious domains that also impersonated Node.js, Chocolatey, KeePassXC, and Monero, most registered between late March and early April 2026. An independent researcher first flagged the Gemini CLI impersonation on April 21, 2026.

There is no CVE here - the weakness is not in Gemini CLI or Claude Code, but in the install path a developer trusts when search ranks an attacker's page above the real one. Because the payload is fileless and arrives as a copied command rather than a downloaded binary, there is no installer artifact to key on. The durable signal is a CLI that appeared outside the sanctioned install path and the tokens it touches, which is exactly what the eight AI artifact types Anomity tracks make visible.

Why this is an agentic-endpoint risk

The credentials this campaign steals are the credentials the AI CLI layer runs on. Gemini CLI and Claude Code authenticate with OAuth tokens, read session cookies, and operate inside developer environments holding CI/CD credentials and VPN keys. A stealer that lifts those tokens does not break the CLI; it inherits the access the CLI already has, from a laptop that often reaches source control, build pipelines, and cloud accounts. The attacker impersonated AI-CLI installers precisely because the audience and the loot line up.

This exposure is hard to see from the controls you already run, because it lives in the AI artifact layer. The PowerShell payload runs in memory, so EDR sees a trusted shell rather than a file to quarantine; the fake page then installs the real Gemini CLI via npm, so the endpoint looks correctly provisioned; and exfiltration to a domain such as events.msft23.com is ordinary outbound HTTPS to the network. AI agents, CLIs, and secrets are part of the eight AI artifact types Anomity tracks per endpoint, adopted bottom-up the same way AI agents and MCP servers became the new shadow IT. The question is not whether one laptop was phished; it is which endpoints have a Gemini CLI or Claude Code install that arrived outside the sanctioned path, and which tokens those CLIs can reach - and you cannot answer that without an inventory of the artifact layer.

How Anomity surfaces and governs it

There is no patch to apply, because nothing in Gemini CLI or Claude Code is broken - the control is to see where these CLIs came from, redact the secrets they touch, and keep a record you can query when a campaign like this surfaces. Anomity does that in three steps.

First, inventory. Anomity inventories the CLIs and secrets on every managed endpoint as part of the eight AI artifact types it tracks, then classifies them. It records each Gemini CLI and Claude Code install and its provenance, so a CLI that appeared outside the sanctioned install path - the tell of a fake-installer compromise - stands out instead of blending into normal provisioning. Metadata only: the OAuth tokens, session cookies, and CI/CD credentials this stealer targets are redacted on the endpoint before anything leaves it.

Second, decide at the hook. On agents that expose a hook, Anomity evaluates each tool call against your policy and returns allow, deny, or log before the call runs. A CLI installed off the sanctioned path that tries to read a token store or reach an unfamiliar outbound destination is evaluated against policy rather than trusted because the binary exists, so the access can be denied or logged at the boundary. That is the control runtime governance provides on agents that expose a hook. This is the same credential-theft objective the sibling Claude Code project-file RCE and token exfiltration advisory covers - different entry point, same tokens at stake.

Third, keep the record. Every Gemini CLI and Claude Code install, version change, and tool-call decision Anomity observes lands in a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira. When a campaign like the EclecticIQ fake-installer cluster lands - with no CVE to key on and a fileless payload that leaves nothing on disk - you can answer which endpoints have a CLI that arrived outside the sanctioned path, which secrets those CLIs could reach, and what they were allowed to do, from a record rather than a guess. Anomity complements your Network, EDR, DLP, and GRC tooling; it covers the artifact layer those tools were never built to inventory.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Inventory every endpoint running Gemini CLI or Claude Code and record how each install arrived; flag any CLI that appeared outside your sanctioned install path or package source.
• Block at the source where you can: confirm developers install from the official package paths, not from a search result, and treat copied PowerShell install commands as untrusted.
• Hunt for the named indicators as plain text - geminicli.co.com, gemini-setup.com, claudecode.co.com, claude-setup.com, and exfiltration to domains such as events.msft23.com - and remember 30+ related domains also impersonate Node.js, Chocolatey, KeePassXC, and Monero.
• Remember the payload is fileless and runs in memory, so an on-disk installer scan will miss it; find compromise by the artifact that appeared and the tokens it touched, not by a dropped file.
• Rotate the credentials this stealer targets - browser session cookies, OAuth tokens, CI/CD credentials, and VPN keys - on any endpoint where an unsanctioned AI-CLI install is found.
• Verify OAuth tokens, session cookies, and other secrets are redacted on the endpoint so an inventory never carries credential values off the machine.
• Confirm tool calls from agents that expose a hook are evaluated at the hook with allow/deny/log, so a CLI off the sanctioned path is governed rather than trusted on existence.
• Confirm every CLI install, version change, and tool-call decision is written to a 90-day audit trail and routed to your SIEM.
• Cross-reference against the sibling Claude Code project-file RCE advisory to find endpoints exposed to more than one token-theft path, and see the pillar on securing AI coding agents and CLIs for the full surface.

The EclecticIQ fake-installer cluster is a reminder that the install path itself is an attack surface: a typosquatted page and a single PowerShell command can hand an attacker the OAuth tokens, session cookies, and CI/CD credentials your AI CLIs depend on, while the real Gemini CLI installs via npm to keep the developer calm. There is nothing to patch - the durable control is to inventory the CLIs and secrets your endpoints carry, govern the tool calls at the hook, and keep an audit trail you can query when the next campaign lands. For the full attack surface, see the pillar on securing AI coding agents and CLIs, and request early access to see Anomity govern the agent and CLI layer across your fleet.