Trojanized Gemini and Claude Installers Target Developers Via SEO Poisoning

Source: HackRead

Cybercriminals are using fake websites for popular Artificial Intelligence (AI) tools to trick software developers into downloading data-stealing malware. The issue was first spotted on Apr. 21 by an independent security researcher. Following this discovery, on May 21, EclecticIQ released a report showing that a single, financially motivated threat actor had been setting up malicious domains since early Mar. 2026. This campaign specifically targets developers in the U.S. and the U.K. by exploiting their trust in new AI utilities. This attack involves using SEO poisoning to push fake installation pages to the top of Google search results so that developers searching for tools like the Google Gemini Command Line Interface (CLI) or Anthropic’s Claude Code end up on typosquatted domains like geminicli.co.com and claudecode.co.com. Full Story