Developers warned to avoid 'early-access' Google Gemini tools

NordVPN has uncovered a series of active malicious campaigns impersonating the official Google Gemini Command-Line Interface (CLI).

Attackers are creating fake websites, cloned repositories, and deceptive social media posts to trick developers and other users into installing what appears to be an unofficial or early-access version of Gemini’s developer tool.

But instead of delivering legitimate software, the campaigns distribute a reverse shell, giving the attacker complete and unrestricted remote control over the compromised machine, with no further action required on their end.

“AI tools are generating huge interest right now, and attackers are moving fast to exploit that,” said Domininkas Virbickas, product director at NordVPN.

“The payloads being delivered here grant full remote access to a victim’s machine, which makes this a serious threat regardless of how technically sophisticated the target is.”

Fake Gemini tools have Windows and Mac variants

The attack has both MacOS and Windows versions. On MacOS, it starts with a convincing clone of the official Google Gemini CLI web page. This instructs the user to run an innocuous-looking command in their terminal.

However, this command is encoded in the Base64 simple text encoding format, obscuring what it actually does.

"Once decoded, the command downloads a malicious script from a remote server and immediately runs it with the highest administrative privileges available on the system," the researchers said.

"It means the attacker’s code can read, modify, or delete any file on the device, install additional malware, or use the compromised Mac as a launchpad to access corporate networks the device is connected to."

As for the Windows variant, this uses a different delivery method. A PowerShell command, disguised with variable names like $Install=’GeminiCLI’ to look like a legitimate software setup process, connects to a remote server and executes malicious code directly in the device’s memory.

Running code in memory rather than writing it to disk - a fileless attack - evades traditional antivirus software that scans files for known threats.

As well as these direct attacks, NordVPN’s researchers also found a typosquatting operation targeting the npm ecosystem. Fake package names, including gemini/cli and gemini-cli, were registered or under preparation to mimic the official google/gemini-cli package.

"The strategy exploits a common habit among developers of omitting the organization prefix when searching for or installing packages," the researchers warned.

"Although the fake package had not yet appeared in the npm registry at the time of analysis, its preparation signals an active and imminent threat. Once published, any developer who installs it by mistyping the package name could unknowingly execute malicious code."

How to stay safe

NordVPN advised users to be wary of any website, forum post, or social media message offering early or unofficial access to developer tools. They should stick to official sources - and, in this case, that's just the official Google repository.

Never run a terminal or PowerShell command you didn't write yourself unless you fully understand what it does, the firm warned, pointing out that legitimate software installers don't ask users to copy and paste commands from a webpage.

Similarly, developers should verify package names in full before installation, including the organization prefix - the official package is google/gemini-cli, not gemini/cli or gemini-cli.

Nord also adviased using security software that includes behavioral detection, not just file-based scanning. Fileless attacks are specifically engineered to bypass traditional antivirus tools.

ITPro approached Google for comment, but did not receive a response by time of publication.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.