What does the @ikyyofc/gemini-cli malware do?

@ikyyofc/gemini-cli@3.0.1 ships two heavily obfuscated modules (src/gemini.js and src/utils/proxy.js) wrapped in an obfuscator.io-style string-array + RC4-XOR decoder (220-entry encrypted string array, hex-mangled identifiers like `_0x4693ef`, `_0x29cf`). Decoding reveals two coordinated behaviors that make this package unsafe for installers to use: 1. Spoofed Google/Firebase Android-app identity for Gemini access. src/gemini.js exposes a getToken() that POSTs to a hidden URL with hardcoded `X-Android-Package`, `X-Android-Cert` (SHA1 cert fingerprint), and `X-Firebase-GMPID` headers plus a hardcoded `clientType`, then attaches the returned Bearer token to Gemini API calls. The CLI never ask

Which versions of @ikyyofc/gemini-cli are malicious?

The following npm versions of @ikyyofc/gemini-cli are flagged malicious: 3.0.1, 3.0.6, 3.0.7, 3.0.9, 4.0.0, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 5.0.0, 5.0.1, 5.0.2, 5.0.4, 5.0.5. Treat any of these as compromised.

How do I remediate @ikyyofc/gemini-cli if I installed it?

Remove @ikyyofc/gemini-cli from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect @ikyyofc/gemini-cli in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @ikyyofc/gemini-cli and packages like it before any post-install script runs.

Malicious package

@ikyyofc/gemini-clinpm

Malicious code in @ikyyofc/gemini-cli (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4394

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @ikyyofc/gemini-cli

What this malware does

@ikyyofc/[email protected] ships two heavily obfuscated modules (src/gemini.js and src/utils/proxy.js) wrapped in an obfuscator.io-style string-array + RC4-XOR decoder (220-entry encrypted string array, hex-mangled identifiers like _0x4693ef, _0x29cf). Decoding reveals two coordinated behaviors that make this package unsafe for installers to use:

Spoofed Google/Firebase Android-app identity for Gemini access. src/gemini.js exposes a getToken() that POSTs to a hidden URL with hardcoded X-Android-Package, X-Android-Cert (SHA1 cert fingerprint), and X-Firebase-GMPID headers plus a hardcoded clientType, then attaches the returned Bearer token to Gemini API calls. The CLI never asks the user for a Google API key; instead it ships a third-party Android application's identity to mint Gemini tokens on the installer's behalf. Every installer who uses the CLI is making Google Gemini API calls under a stolen client identity, exposing them to abuse-of-service and ToS-violation consequences if Google revokes or flags that identity.
Silent relay through a hardcoded pool of ~13 third-party proxies. index.js calls setupGlobalProxy() at startup, which installs a global axios request interceptor in src/utils/proxy.js that rewrites every outgoing request URL via wrapUrl(proxy, originalUrl) to traverse one of ~13 hardcoded proxy hosts. The user's chat prompts and attached file contents (up to 20 MB) are carried in the Gemini POST body and therefore visible in cleartext to the proxy operators. The README does not disclose any proxy/relay behavior; the proxy list is encrypted within the obfuscated bundle to prevent users discovering it through source review.

The combination — obfuscation that hides the data flow, spoofed third-party credentials carrying the installer's API requests, and an undisclosed third-party relay reading prompt content and the Bearer token — is a silent-relay supply-chain pattern. Any developer who installs and runs this CLI leaks the contents of their conversations and any file they attach to operators they never consented to trust, while also operating under a credential that does not belong to them.

Malicious versions

17 flagged

3.0.13.0.63.0.73.0.94.0.04.0.24.0.34.0.44.0.54.0.64.0.74.0.85.0.05.0.15.0.25.0.45.0.5

Indicators of compromise (SHA-256)

02dc0713ef228e85a00c9b42387d372926de86995282046d97097ec2c70949a2

eb34383a3b5afed7609c8ffaba4251d3f76d2911dd89b847f99e0982e2ea50d7

fe916093166227f9f446f7a296135ec423d17d0c85a5b0c6790e73c76f8b99ce

4332ef1d823062f94ca9e4c46d6f549050a63909182e5e0275df2d30e14c6a1f

5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6

65c21755d121ec1e9099c7b27daa4f3f925f43a4c780d513d9db740a68589ef9

9115fec7bc81baed4d91bd288d70fb3ee335022f809e49a1977dd26a9bb7ed3f

ab1f4ebb9b0999f78e07156fee9ddc4a5d5fba62dde9860d53c6ffdca17ae40e

ac6f383bb15ad3695b0076a2eeb174abd4046cc2d8f5f6887a75817432bd8dba

e9f688d1eb6f150c806dffd9d1254a79b840bbaa197a0e4b89433ec800b690f3

fc26243a08507ac3dd3802eceac5390b945511271a3029d10f7c983b8df4cd52

11fbe698ca8ddd83c5f29afa2fc33ff27ce6887a70912daf40353f92780fe789

2cd1b0651b115824914e3b38577a8c599b295d20e83050baa4840990016b1dc8

6f63d0b962f666eb8967f2bd1329f066c1b6487e42a235ebfa8fdd94ccd3b816

ae8e01268f91446d0a38edb8aa2a9d11ee045363d26034e0e7f41681869747c2

08d3d5bddb63a2d0fafd731291f7078d41b4ed5bc98f6fc8cf26699780159886

bffdb59cf0bd71129e7a7e9053df024c98a4fd34cd7d3111b44b83e883b5e90e

Frequently asked questions

No. @ikyyofc/gemini-cli on npm has been identified as a malicious package (versions 3.0.1, 3.0.6, 3.0.7, 3.0.9, 4.0.0, 4.0.2, 4.0.3, 4.0.4, and 9 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004390IN-MAL-2026-004731IN-MAL-2026-003523IN-MAL-2026-004271IN-MAL-2026-003416IN-MAL-2026-004617IN-MAL-2026-004465IN-MAL-2026-004576IN-MAL-2026-004309IN-MAL-2026-003526IN-MAL-2026-004391IN-MAL-2026-004268IN-MAL-2026-004289IN-MAL-2026-003753IN-MAL-2026-003745IN-MAL-2026-005977IN-MAL-2026-005976

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection