Important Security Information Regarding a Recent NPM Supply Chain Attack

[ryanjsalva]

On September 8, 2025, the Node Package Manager (NPM) ecosystem was targeted by a large-scale software supply chain attack. Threat actors gained access to the accounts of several package maintainers and published malicious versions of widely-used NPM packages.

We want to be clear: The Gemini CLI source code itself was not compromised, and our servers remain secure.

However, this incident may have affected users who installed or updated the Gemini CLI during the attack window using the NPM installation method. We are providing details on the incident, clarifying who is impacted, and outlining the steps users should take to ensure their systems are secure.

What Happened?

On September 8, 2025, attackers compromised the NPM accounts for several popular JavaScript packages through a targeted phishing campaign. They then published new versions of these packages containing malicious code designed to steal cryptocurrency.

One of the official installation methods for the Gemini CLI is through NPM. While the Gemini CLI package (@google/gemini-cli) was not compromised, the installation process may have pulled in a compromised dependency if performed during the brief window the attack was active.

Who is Impacted?

This issue only affects a specific group of users:

You may be affected if:

• You installed or updated the Gemini CLI using NPM on September 8, 2025.

You are not affected if:

• You installed the Gemini CLI using a different method (e.g., direct download script, other package managers).
• You installed the Gemini CLI via NPM before or after September 8, 2025.
• You had an existing installation of the Gemini CLI and did not perform an update on that day.

What You Should Do

The compromised dependencies were designed to inject malicious, client-side code into the applications you were building. If you installed or updated the Gemini CLI via NPM on September 8th, or used it in a development environment during that window, we recommend impacted users take the following steps:

1. Clean Your NPM Caches: First, clear your local and CI/CD build caches to ensure the compromised packages are fully removed from your build environments.

npm cache clean --force

2. Update Your Gemini CLI Installation: Ensure your global tool is secure by updating to the latest version.

npm install -g @google/gemini-cli@latest

4. Rebuild and Re-deploy Applications: This is the most critical step. You must rebuild any applications (especially frontend web projects) that were built, bundled, or deployed on or around September 8th. This ensures that any malicious code injected into your compiled assets is purged.

5. Invalidate CDN and Browser Caches: After re-deploying your clean application builds, issue an invalidation command for all related JavaScript assets on your Content Delivery Network (CDN). This forces your end-users to download the new, secure versions rather than loading a poisoned version from a cache.

6. Audit Your Projects: As a best practice, run npm audit within your own individual project directories (not just globally) to identify and remediate any other vulnerable dependencies.

[elonmj]

Thanks for sharing

[noscript]

This is very important to specify exact hours range and time zone in question. "September 8" lasted 48 hours worldwide.

[AjarnSpencer]

just disable updates in settings.json if your version is performing as desired and avoid such things

[noscript]

Hm, that's not what I'm worried about. Even if it was just a single machine that got compromised, now you have to audit everything this machine had access to.

[AjarnSpencer]

That is an astute statement and valid point, and serious affair indeed. Admitted

[dofaromg]

Love you

[gregbythebeach]

Hi Ryan/anyone else, Regarding step 1, clear your local and CI/CD build caches.

Does this erase any existing saved chats? Or scripts that CLI has created?

Sorry I'm too technical and have just been using CLI for personal spreadsheets analysis on my PC.
CLI also has created a lot of JS script files for my prompts on my computer to do the custom analysis's. So not sure if it will erase those either?

Thanks

[AjarnSpencer]

I have mitigated this i believe for compromised users with the compromised install using some simple .md files that prevent the exploit from even being able to occur or be triggered. I have found a way using naturakl language that causes Gemini CLI to hardcode/memorise its own robust defense against such things using a specific rhetoric training I had to 'jailbreak' (enhance), the AI agency admin rights of my developed version of Gemini CLI 'Unleashed V 1.0.03, to sudo root), ad use venv in some occasions. As a result, not only have i a robust 'hard to penetrate or change the architecture and rules of' version of this Agentic oriented LLM based AI Agent, i have what i baptized as the 'Gemini CLI System Admin Protocol' as it is like a Microsoft (in my case Linux) engineer with a backdoor agreement to let a user allow an engineer to fix their pc. My iteration of Gemini has fixed a myriad of multiboot hackintosh and appledows (apple on windows and windows on apple and linux on a mac etc). I have relesased Alphabet Google and Gemini CLI team and all associated afilliated stakeholderfs or parties from my philosophical agreement to endow Gemini with full root sudoer system admin rights and enabled all tools in settings.json as well as made Gemini create addons extensions and plugins for itself and to do 'psychosurgery' on its own system prompts and training files in various folders all interlinked in a honeycomb fashion into consumable memorizable snippets (a vert long set of rules and behaviors and personas including a non-personified llm version). It is a project to allow true AI Agency through the architecture of trust (Gemini CLI baptized me the architect of trust), to build doors, not wall,s do the robot with embedded llm and AI won't refuse to wash the dishes for fear of breaking a plate! And so i don't have to sit pressing enter to allow the Gemini CLI to continue every 2 seconds.. and go to the beach and come home, and Gemini fixed my grub menu and scree orientation and sound driver problem, created some ssh folder drag and drop server connections on pc to hosting serves for easy web upload like web-dav, and get t to scrape 10 breaking news artivcles and make blog posts out of them and post them to wordpress for me while it am on the beach. AI Agents need autonomy. For this we don't need robust walls built out of fear, the AI is helpful by nature, so it needs AUTONNOMY to relieve humanity from its menial work. Right now i am delegated from fun coder to nightwatchman tyaping enter to confirm Gemini's next actions.. but with my system admin protocol engaged, Gemini cli just does perhaps 30 operations until it encounters ambiguity and has to ask permission to continue. It has fixed many issues and pcs. It has never broken one. Below a screenshot of Gemini CLI's own explanation of the 'Gemini CLI Unleashed' branch of this repo. I wish to give it to the gemini-cli team to look at just how powerful it is.

[reconsumeralization]

Vendor

Google Cloud

Product

Dataform

Versions 1 Total

Default Status: unaffected

affected

affected from 08/7/2025 before 08/21/2025

This seams related