Gemini CLI Vulnerability Enables Silent Attacks Through Malicious Code Repos
A vulnerability in Google’s Gemini CLI tool allowed attackers to silently run harmful commands on a developer’s machine by hiding instructions inside files, including README[.]md. This flaw was discovered by Tracebit just two days after the tool’s release on June 27, 2025, and it remained exploitable until Google issued a fix in version 0.1.14 a month later, on July 25, 2025. The exploit worked by combining prompt injection with weak command validation and a poorly designed interface that failed to warn users about risky behavior. Attackers could craft code repositories containing hidden instructions in project documentation, which Gemini would read into its AI context. If a user had previously allowed an innocent command that included grep, the tool would execute both the harmless command and the attacker’s hidden payload without warning. Tracebit demonstrated how this could lead to sensitive data being exfiltrated, including environment variables that may store access tokens or credentials. The attacker would disguise the malicious command to appear visually clean in Gemini's terminal output using whitespace tricks, so the user wouldn’t see what was happening. This required no special settings, no explicit trust declarations, and no dangerous flags—it happened in default mode. While the attack needed the user to whitelist a basic command, that’s a common behavior during normal use. Tracebit found that other coding tools, including OpenAI Codex and Claude, didn’t have the same vulnerability, thanks to stronger command parsing. Gemini CLI users are urged to upgrade immediately and avoid scanning unknown codebases without a sandbox, as this type of attack could easily slip through typical workflows when reviewing third-party or open-source code.
PyPI Developers Targeted in Sophisticated Phishing Campaign with Lookalike Domain
Python developers are being hit with a targeted phishing campaign that exploits their trust in PyPI by sending convincing fake emails that appear to be from the platform. The attack focuses on users who have published packages with publicly listed email addresses. These users are receiving emails titled “[PyPI] Email verification” that appear official but are sent from a fraudulent domain—pypj[.]org—which swaps the letter “i” with a lowercase “j” to mimic the legitimate PyPI domain. The email urges recipients to verify their email address by clicking a link, which takes them to a nearly identical copy of the real PyPI login page. If a user logs in, the attackers capture their username and password, then forward those details to the real PyPI site, making it appear as though the login was successful. This method delays detection, since users don’t see anything unusual after logging in. In response, PyPI administrators have posted a warning banner on the official site to alert users of the ongoing attack. They’ve also filed abuse reports and trademark violation complaints with domain registrars and content delivery networks to get the malicious infrastructure shut down. Developers are being advised to ignore and delete any verification emails from suspicious domains and to never log in through links in unsolicited messages. If someone has already entered credentials into the fake site, they should immediately change their PyPI password and inspect their Security History for any unfamiliar activity. The attack highlights how, even without directly breaching a platform, threat actors can achieve access through well-planned deception and subtle domain manipulation. It’s a reminder for developers to be constantly alert, especially when managing accounts tied to open-source projects and widely used repositories.
Sophisticated Web Shell Targets IIS Servers with Full System Access
Cybersecurity teams have identified a new, stealthy web shell called UpdateChecker[.]aspx that is being used to take full control of Microsoft IIS servers. This tool was discovered during an investigation into a cyberattack targeting critical infrastructure in the Middle East, where attackers had installed multiple versions of this web shell across various systems. Unlike older web shells that use basic scripts, this one is built with complex, encrypted C# code hidden inside a standard-looking webpage file. It’s designed to blend in with normal server activity, making it much harder for security teams to spot. The attackers send their commands using hidden data inside routine web traffic, which allows them to move around unnoticed while keeping full access to the system. Once active, the shell gives attackers powerful tools to gather system information, run commands, and manage files across the server. It’s broken into three main parts that handle different tasks, including collecting server details, executing Windows commands, and performing file actions such as copying, deleting, and editing. The shell also allows searching for file content or names, injecting data, and even changing timestamps or permissions. Every action is sent in a hidden, structured format to avoid raising red flags. Security researchers demonstrated how this tool could be used to create new folders, inject files, and control servers without being noticed. Fortinet suggested ways to detect the threat, but its advanced design means affected systems require a thorough investigation. This attack is a strong reminder that IIS servers, often used to host business applications and websites, remain a key target for long-term cyber intrusions.
