Malware

The attack campaign employs SEO poisoning to elevate fake installation pages in search engine results, leading developers searching for AI tools like Google Gemini CLI or Anthropic's Claude Code to typosquatted domains.

The attack on Based Apparel, reportedly an attempt to distribute infostealer malware designed to steal user credentials, was first brought to light by a user on X.

Showboat is believed to be utilized by Chinese-affiliated threat actors, with command-and-control infrastructure linked to Chengdu, China.

The suspect allegedly used information-stealing malware between 2024 and 2025 to infect user devices, aiming to steal browser sessions and account credentials.

Fox Tempest operated a platform called signspace[.]cloud, which allowed threat actors to obtain short-lived Microsoft-issued certificates via Artifact Signing.

Flare's analysis of 128 posts between February and May 2026 reveals REMUS's aggressive development cycle, mirroring structured software businesses.