A new, highly targeted malware campaign is exploiting the rush to adopt AI programming tools, security researchers warn. According to a Kaspersky report, attackers are uploading malicious packages to the Python Package Index (PyPI), impersonating legitimate tools like Anthropic's Claude Code and Google's Gemini CLI.
The fraudulent packages, with names like 'claude-code' and 'google-gemini-cli', are designed to be installed by developers seeking the latest AI assistants. Once executed, the software silently steals a wide array of sensitive data from the victim's machine. This includes browser-stored passwords, session cookies, cryptocurrency wallets, and SSH keys—essentially granting attackers the keys to both personal assets and corporate infrastructure.
Sergey Lozhkin, a principal security researcher at Kaspersky, noted the strategy's precision: developers are high-value targets because their workstations often hold access to source code, cloud credentials, and deployment systems. Compromising a single developer can open a path to an entire software supply chain.
The timing is strategic. The launch of new AI coding tools in 2025 created a surge of demand, a moment attackers leveraged by registering obvious package names before the legitimate companies could. The fake packages often include realistic metadata and even some functional code, making them difficult to spot in a hurry.
This incident reflects a persistent vulnerability in open-source ecosystems. While PyPI has implemented safeguards like mandatory two-factor authentication for maintainers, the volume of uploads makes preemptive vetting a challenge. The consequence is a reactive security posture, where malicious packages may operate for days before detection.
The fallout from such credential theft is already tangible. Recent high-profile breaches at companies like Snowflake have been linked back to credentials harvested by infostealer malware. For developers and organizations, the message is clear: verify every package name meticulously, scrutinize download statistics, and assume that any popular new tool will have malicious imitators waiting in the wings.
Source: Webpronews