AI Trust Danger: Gemini CLI Malware Scenario¶
Featured case study
This scenario documents real-world AI-agent and supply-chain risks relevant to digital investigators in 2025–2026.
Scenario summary¶
An organization adopts Google Gemini CLI (@google/gemini-cli) and the run-gemini-cli GitHub Action for automated issue triage and code review. Attackers exploit:
- Prompt injection via public GitHub issues → secret exfiltration → repository write access (Pillar Security — TrustIssues)
- Headless workspace trust treating untrusted folders as trusted → RCE via malicious
.gemini/config (GHSA-wpqr-6v78-jr5g) - Fake CLI installers delivering Windows infostealers via SEO-poisoned domains (Infosecurity Magazine)
Attack chain (supply-chain)¶
sequenceDiagram
participant Attacker
participant GitHubIssue
participant GeminiAction
participant Secrets
participant Repo
Attacker->>GitHubIssue: Open malicious issue (prompt injection)
GitHubIssue->>GeminiAction: Triggers on issues:opened
GeminiAction->>Secrets: Agent reads CI secrets from env
Secrets->>Attacker: Exfiltration to attacker server
Attacker->>Repo: Pivot to write token, push to main
Forensic questions¶
| Question | Where to look |
|---|---|
| Who triggered the workflow? | GitHub Actions run logs, github.actor, issue author |
| What did the agent execute? | Job logs, run-gemini-cli output, shell commands in transcript |
| Were secrets exposed? | Audit log secret access, outbound connections in runner logs |
| Was the repo modified? | git log, commit signatures, branch protection bypass events |
| Was a malicious issue the entry point? | Issue body, comments, linked payloads |
Workspace trust / headless RCE¶
Evidence Integrity
In headless CI, older Gemini CLI versions auto-trusted workspace folders, loading .gemini/settings.json and environment from untrusted PR/issue checkouts.
Investigator actions:
- Identify Gemini CLI and
run-gemini-cliversions in workflow YAML andpackage-lock.json - Collect
.gemini/directory from checked-out tree (hash and preserve) - Review
--yoloor permissiverun_shell_commandallowlists in settings
Fake CLI / infostealer distribution¶
Attackers register lookalike domains (e.g. geminicli[.]co[.]com) and instruct victims to run a PowerShell one-liner that pulls payloads from gemini-setup[.]com.
Forensic artifacts (endpoint)¶
| Artifact | Location / method |
|---|---|
| PowerShell history | ConsoleHost_history.txt, Event ID 4104 |
| Downloaded payload | %TEMP%, Prefetch, Amcache |
| Network indicators | Firewall/proxy logs, DNS to lookalike domains |
| npm global install | %APPDATA%\npm, package integrity vs official registry |
Chain of Custody
Preserve the exact command line the user ran and disk image before remediation wipes temp directories.
Volatility / memory angle¶
If the developer machine was compromised during an active agent session:
- Capture RAM before shutdown if policy allows
- Use
windows.netscan/windows.pslistfor suspicious outbound connections windows.malfindfor injected code in IDE or terminal parent processes