Fake Gemini CLI tricks developers, installs remote-access malware
Attackers clone Gemini CLI pages, repos and posts to trick developers into running commands that deploy reverse shells on macOS and Windows, granting full remote access.
NordVPN researchers uncovered active campaigns impersonating the Google Gemini command-line interface. Attackers used fake websites, cloned code repositories and deceptive social posts to prompt developers to run commands that install reverse shells and give attackers full remote access.
On macOS, cloned web pages instruct users to paste a Base64-encoded command into the terminal. When decoded, the command downloads a script from a remote server and runs it with the system’s highest administrative privileges. That gives the attacker code the ability to read, modify or delete files, install additional malware, or use the compromised device to access other machines on the same network.
The Windows variant delivers a PowerShell command disguised with benign variable names such as $Install=’GeminiCLI’. The command connects to a remote server and executes malicious code directly in memory rather than writing files to disk. Running the payload in memory is a fileless technique designed to bypass antivirus tools that rely on file scanning while still opening a reverse shell.
Researchers also identified a planned typosquatting operation targeting the npm registry. Attackers prepared package names such as gemini/cli and gemini-cli to mimic the official google/gemini-cli package. At the time of analysis the fake packages had not appeared in the registry.
Domininkas Virbickas, product director at NordVPN, warned: “AI tools are generating huge interest right now, and attackers are moving fast to exploit that. The payloads being delivered here grant full remote access to a victim’s machine, which makes this a serious threat regardless of how technically sophisticated the target is.”
NordVPN advised users to stick to official sources. Verify that downloads and repositories come from the Google repository and confirm npm package names include the organization prefix google/gemini-cli. Do not run terminal or PowerShell commands you did not write or do not fully understand. Legitimate installers do not require copying and pasting commands from a webpage. Use security tools that include behavioral detection rather than relying solely on file-based scanning.
The campaigns target individual developers and connected corporate networks by exploiting common developer habits and social engineering. Cloned pages, repositories and posts offering early or unofficial access increase the chance that users will execute harmful commands.
