Trojanized Gemini and Claude Installers Target Developers Via SEO Poisoning
Cybercriminals are using fake websites for popular Artificial Intelligence (AI) tools to trick software developers into downloading data-stealing malware. The issue was first spotted on 21 April 2026 by an independent security researcher known as @g0njxa on X (formerly Twitter).
Following this discovery, on 21 May 2026, the security research firm EclecticIQ released a full report showing that a single, financially motivated threat actor had been setting up malicious domains since early March 2026. This campaign specifically targets developers in the US and the UK by exploiting their trust in new AI utilities.
The Search Engine Trap
This attack involves using SEO poisoning to push fake installation pages to the top of Google search results so that developers searching for tools like the Google Gemini Command Line Interface (CLI) or Anthropic’s Claude Code end up on typosquatted domains like geminicli.co.com and claudecode.co.com. These domains perfectly copy official vendor...
Copyright of this story solely belongs to hackread.com. To see the full text click HERE