Cybersecurity researchers have flagged three malicious npm packages which might be designed to focus on the Apple macOS model of Cursor, a preferred synthetic intelligence (AI)-powered supply code editor.
“Disguised as developer instruments providing ‘the most affordable Cursor API,’ these packages steal person credentials, fetch an encrypted payload from menace actor-controlled infrastructure, overwrite Cursor’s predominant.js file, and disable auto-updates to take care of persistence,” Socket researcher Kirill Boychenko stated.
The packages in query are listed beneath –
All three packages proceed to be accessible for obtain from the npm registry. “Aiide-cur” was first printed on February 14, 2025. It was uploaded by a person named “aiide.” The npm library is described as a “command-line device for configuring the macOS model of the Cursor editor.”
The opposite two packages, per the software program provide chain safety agency, had been printed a day earlier by a menace actor beneath the alias “gtr2018.” In whole, the three packages have been downloaded over 3,200 instances thus far.
The libraries, as soon as put in, are designed to reap user-supplied Cursor credentials and fetch a next-stage payload from a distant server (“t.sw2031[.]com” or “api.aiide[.]xyz”), which is then used to interchange a official Cursor-specific code with malicious logic.
“Sw-cur” additionally takes the step of disabling Cursor’s auto-update mechanism and terminating all Cursor processes. The npm packages then proceed to restart the appliance in order that the patched code takes impact, granting the menace actor to execute arbitrary code throughout the context of the platform.
The findings level to an rising pattern the place menace actors are utilizing rogue npm packages as a method to introduce malicious modifications to different official libraries or software program already put in on developer programs.
That is vital not least as a result of it provides a brand new layer of sophistication by permitting the malware to persist even after the nefarious libraries have been eliminated, requiring builders to carry out a clear set up of the altered software program once more.
“Patch‑primarily based compromise is a brand new and a strong addition to the menace actor arsenal concentrating on open-source provide chains: As an alternative (or as well as) of slipping malware right into a package deal supervisor, attackers publish a seemingly innocent npm package deal that rewrites code already trusted on the sufferer’s machine,” Socket informed The Hacker Information.
“By working inside a official guardian course of — an IDE or shared library — the malicious logic inherits the appliance’s belief, maintains persistence even after the offending package deal is eliminated, and mechanically positive factors no matter privileges that software program holds, from API tokens and signing keys to outbound community entry.”
“This marketing campaign highlights a rising provide chain menace, with menace actors more and more utilizing malicious patches to compromise trusted native software program,” Boychenko stated.
The promoting level right here is that the attackers try to use builders’ curiosity in AI in addition to those that are searching for cheaper utilization charges for entry to AI fashions.
“The menace actor’s use of the tagline ‘the most affordable Cursor API’ seemingly targets this group, luring customers with the promise of discounted entry whereas quietly deploying a backdoor,” the researcher added.
To counter such novel provide chain threats, defenders are required to flag packages that run postinstall scripts, modify recordsdata exterior node_modules, or provoke sudden community calls, and mixing these indicators with rigorous model pinning, actual‑time dependency scanning, and file‑integrity monitoring on vital dependencies.
The disclosure comes as Socket uncovered two different npm packages – pumptoolforvolumeandcomment and debugdogs – to ship an obfuscated payload that siphons cryptocurrency keys, pockets recordsdata, and buying and selling information associated to a cryptocurrency platform named BullX on and macOS programs. The captured information is exfiltrated to a Telegram bot.
Whereas “pumptoolforvolumeandcomment” has been downloaded 625 instances, “debugdogs” have obtained a complete of 119 downloads since they had been each printed to npm in September 2024 by a person named “olumideyo.”
“Debugdogs merely invokes pumptoolforvolumeandcomment, making it a handy secondary an infection payload,” safety researcher Kush Pandya stated. “This ‘wrapper’ sample doubles down on the primary assault, making it simpler to unfold beneath a number of names with out altering the core malicious code.”
“This extremely focused assault can empty wallets and expose delicate credentials and buying and selling information in seconds.”
Npm Bundle “rand-user-agent” Compromised in Provide Chain Assault
The invention additionally follows a report from Aikido a couple of provide chain assault that has compromised a official npm package deal known as “rand-user-agent” to inject code that conceals a distant entry trojan (RAT). Variations 2.0.83, 2.0.84, and 1.0.110 have been discovered to be malicious.
The newly launched variations, per safety researcher Charlie Eriksen, are designed to ascertain communications with an exterior server to obtain instructions that enable it to vary the present working listing, add recordsdata, and execute shell instructions. The compromise was detected on Could 5, 2025.
On the time of writing, the npm package deal has been marked deprecated and the related GitHub repository can also be not accessible, redirecting customers to a 404 web page.
It is at the moment not clear how the npm package deal was breached to make the unauthorized modifications. Customers who’ve upgraded to 2.0.83, 2.0.84, or 1.0.110 are suggested to downgrade it again to the final secure model launched seven months in the past (2.0.82). Nevertheless, doing so doesn’t take away the malware from the system.
Replace
WebScrapingAPI, which maintains the library, informed SecurityWeek that the unknown menace actors printed the malicious package deal variations after acquiring an outdated automation token that was not protected by two-factor authentication.
