Skip to content

AI Trust Danger: Gemini CLI Malware Scenario

Featured case study

This scenario documents real-world AI-agent and supply-chain risks relevant to digital investigators in 2025–2026.

Scenario summary

An organization adopts Google Gemini CLI (@google/gemini-cli) and the run-gemini-cli GitHub Action for automated issue triage and code review. Attackers exploit:

  1. Prompt injection via public GitHub issues → secret exfiltration → repository write access (Pillar Security — TrustIssues)
  2. Headless workspace trust treating untrusted folders as trusted → RCE via malicious .gemini/ config (GHSA-wpqr-6v78-jr5g)
  3. Fake CLI installers delivering Windows infostealers via SEO-poisoned domains (Infosecurity Magazine)

Attack chain (supply-chain)

sequenceDiagram
    participant Attacker
    participant GitHubIssue
    participant GeminiAction
    participant Secrets
    participant Repo

    Attacker->>GitHubIssue: Open malicious issue (prompt injection)
    GitHubIssue->>GeminiAction: Triggers on issues:opened
    GeminiAction->>Secrets: Agent reads CI secrets from env
    Secrets->>Attacker: Exfiltration to attacker server
    Attacker->>Repo: Pivot to write token, push to main

Forensic questions

Question Where to look
Who triggered the workflow? GitHub Actions run logs, github.actor, issue author
What did the agent execute? Job logs, run-gemini-cli output, shell commands in transcript
Were secrets exposed? Audit log secret access, outbound connections in runner logs
Was the repo modified? git log, commit signatures, branch protection bypass events
Was a malicious issue the entry point? Issue body, comments, linked payloads

Workspace trust / headless RCE

Evidence Integrity

In headless CI, older Gemini CLI versions auto-trusted workspace folders, loading .gemini/settings.json and environment from untrusted PR/issue checkouts.

Investigator actions:

  • Identify Gemini CLI and run-gemini-cli versions in workflow YAML and package-lock.json
  • Collect .gemini/ directory from checked-out tree (hash and preserve)
  • Review --yolo or permissive run_shell_command allowlists in settings

Fake CLI / infostealer distribution

Attackers register lookalike domains (e.g. geminicli[.]co[.]com) and instruct victims to run a PowerShell one-liner that pulls payloads from gemini-setup[.]com.

Forensic artifacts (endpoint)

Artifact Location / method
PowerShell history ConsoleHost_history.txt, Event ID 4104
Downloaded payload %TEMP%, Prefetch, Amcache
Network indicators Firewall/proxy logs, DNS to lookalike domains
npm global install %APPDATA%\npm, package integrity vs official registry

Chain of Custody

Preserve the exact command line the user ran and disk image before remediation wipes temp directories.

Volatility / memory angle

If the developer machine was compromised during an active agent session:

  • Capture RAM before shutdown if policy allows
  • Use windows.netscan / windows.pslist for suspicious outbound connections
  • windows.malfind for injected code in IDE or terminal parent processes

References