Malware Fake AI tool websites used to steal developer data May 26, 2026 Share By SC Staff Cybercriminals are using fake websites for popular artificial intelligence (AI) tools to trick software developers into downloading data-stealing malware. A recent campaign was first spotted on April 21, 2026, by an independent security researcher. Following this discovery, on May 21, 2026, the security research firm EclecticIQ released a full report showing that a single, financially motivated threat actor had been setting up malicious domains since early March 2026. This campaign specifically targets developers in the US and the UK by exploiting their trust in new AI utilities, as reported by HackRead. The attack campaign employs SEO poisoning to elevate fake installation pages in search engine results, leading developers searching for AI tools like Google Gemini CLI or Anthropic's Claude Code to typosquatted domains. These malicious sites meticulously mimic official vendor documentation. Upon visiting a fake Gemini page, users are prompted to execute a PowerShell command that downloads a fileless infostealer. This malware operates entirely in memory, disabling security features like AMSI and ETW before stealing credentials and session cookies from browsers and applications such as Slack, Microsoft Teams, and Discord. It also targets cryptocurrency wallets and cloud storage files. The campaign further includes a remote code execution feature, enabling direct network intrusion. Over 30 other fake domains targeting various developer tools are also active, with attackers even using a stolen Extended Validation certificate to bypass Windows security warnings. Developers are advised to verify download sources and scan files before execution. Source: HackRead SC Staff Related Malware Kash Patel’s merchandise site hacked to distribute malware SC Staff May 22, 2026 The attack on Based Apparel, reportedly an attempt to distribute infostealer malware designed to steal user credentials, was first brought to light by a user on X. Malware New Linux malware ‘Showboat’ targets Middle East telecom provider SC Staff May 21, 2026 Showboat is believed to be utilized by Chinese-affiliated threat actors, with command-and-control infrastructure linked to Chengdu, China. Malware Teenager from Odesa suspected of running infostealer malware operation SC Staff May 21, 2026 The suspect allegedly used information-stealing malware between 2024 and 2025 to infect user devices, aiming to steal browser sessions and account credentials. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds