SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer

Financially motivated actors are conducting an SEO-poisoning campaign that surfaces typosquatted installation pages for Gemini CLI and Claude Code to trick developers into running a single command. The resulting in-memory PowerShell infostealer harvests credentials, OAuth tokens, CI/CD and VPN secrets, and sensitive files, exfiltrating encrypted data to a C2 and providing arbitrary remote code execution that enables hands-on-keyboard intrusions into enterprise environments.