Fake Gemini and Claude Code Sites Spread Infostealers Through SEO Poisoning

Security researchers uncovered a phishing and SEO-poisoning campaign that clones Google Gemini CLI and Anthropic Claude Code installation pages to trick developers into executing a PowerShell command that downloads a memory-resident infostealer; the malware harvests credentials, session cookies, collaboration app data, VPN and wallet files, and exfiltrates encrypted results to attacker C2 infrastructure, with indicators pointing to targeting of US and UK developers and enterprise workstations.