Cybersecurity researchers have flagged three malicious npm packages which can be designed to focus on the Apple macOS model of Cursor, a preferred synthetic intelligence (AI)-powered supply code editor.
“Disguised as developer instruments providing ‘the most cost effective Cursor API,’ these packages steal person credentials, fetch an encrypted payload from menace actor-controlled infrastructure, overwrite Cursor’s predominant.js file, and disable auto-updates to take care of persistence,” Socket researcher Kirill Boychenko mentioned.
The packages in query are listed under –
All three packages proceed to be out there for obtain from the npm registry. “Aiide-cur” was first revealed on February 14, 2025. It was uploaded by a person named “aiide.” The npm library is described as a “command-line device for configuring the macOS model of the Cursor editor.”
The opposite two packages, per the software program provide chain safety agency, have been revealed a day earlier by a menace actor beneath the alias “gtr2018.” In complete, the three packages have been downloaded over 3,200 instances up to now.
The libraries, as soon as put in, are designed to reap user-supplied Cursor credentials and fetch a next-stage payload from a distant server (“t.sw2031[.]com” or “api.aiide[.]xyz”), which is then used to exchange a official Cursor-specific code with malicious logic.
“Sw-cur” additionally takes the step of disabling Cursor’s auto-update mechanism and terminating all Cursor processes. The npm packages then proceed to restart the applying in order that the patched code takes impact, granting the menace actor to execute arbitrary code inside the context of the platform.
The findings level to an rising development the place menace actors are utilizing malicious packages as a option to introduce malicious modifications to different official libraries or software program already put in on developer programs.
That is important not least as a result of it provides a brand new layer of sophistication by permitting the malware to persist even after the nefarious libraries have been eliminated, requiring builders to carry out a clear set up of the altered software program once more.
“Patch‑primarily based compromise is a brand new and a strong addition to the menace actor arsenal focusing on open-source provide chains: As a substitute (or as well as) of slipping malware right into a package deal supervisor, attackers publish a seemingly innocent npm package deal that rewrites code already trusted on the sufferer’s machine,” Socket instructed The Hacker Information.
“By working inside a official father or mother course of — an IDE or shared library — the malicious logic inherits the applying’s belief, maintains persistence even after the offending package deal is eliminated, and mechanically positive aspects no matter privileges that software program holds, from API tokens and signing keys to outbound community entry.”
“This marketing campaign highlights a rising provide chain menace, with menace actors more and more utilizing malicious patches to compromise trusted native software program,” Boychenko mentioned.
The promoting level right here is that the attackers are trying to use builders’ curiosity in AI in addition to those that are searching for cheaper utilization charges for entry to AI fashions.
“The menace actor’s use of the tagline ‘the most cost effective Cursor API’ doubtless targets this group, luring customers with the promise of discounted entry whereas quietly deploying a backdoor,” the researcher added.
To counter such novel provide chain threats, defenders are required to flag packages that run postinstall scripts, modify recordsdata outdoors node_modules, or provoke sudden community calls, and mixing these indicators with rigorous model pinning, actual‑time dependency scanning, and file‑integrity monitoring on crucial dependencies.
The disclosure comes as Socket uncovered two different npm packages – pumptoolforvolumeandcomment and debugdogs – to ship an obfuscated payload that siphons cryptocurrency keys, pockets recordsdata, and buying and selling information associated to a cryptocurrency platform named BullX on and macOS programs. The captured information is exfiltrated to a Telegram bot.
Whereas “pumptoolforvolumeandcomment” has been downloaded 625 instances, “debugdogs” have obtained a complete of 119 downloads since they have been each revealed to npm in September 2024 by a person named “olumideyo.”
“Debugdogs merely invokes pumptoolforvolumeandcomment, making it a handy secondary an infection payload,” safety researcher Kush Pandya mentioned. “This ‘wrapper’ sample doubles down on the principle assault, making it simpler to unfold beneath a number of names with out altering the core malicious code.”
“This extremely focused assault can empty wallets and expose delicate credentials and buying and selling information in seconds.”
Npm Bundle “rand-user-agent” Compromised in Provide Chain Assault
The invention additionally follows a report from Aikido a couple of provide chain assault that has compromised a official npm package deal referred to as “rand-user-agent” to inject code that conceals a distant entry trojan (RAT). Variations 2.0.83, 2.0.84, and 1.0.110 have been discovered to be malicious.
The newly launched variations, per safety researcher Charlie Eriksen, are designed to ascertain communications with an exterior server to obtain instructions that enable it to vary the present working listing, add recordsdata, and execute shell instructions. The compromise was detected on Might 5, 2025.
On the time of writing, the npm package deal has been marked deprecated and the related GitHub repository can also be not accessible, redirecting customers to a 404 web page.
It is presently not clear how the npm package deal was breached to make the unauthorized modifications. Customers who’ve upgraded to 2.0.83, 2.0.84, or 1.0.110 are suggested to downgrade it again to the final secure model launched seven months in the past (2.0.82). Nevertheless, doing so doesn’t take away the malware from the system.
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
