Cybersecurity researchers flagged three malicious npm packages designed to target the Apple macOS version of Cursor, a popular AI-powered source code editor.
Socket researcher Kirill Boychenko explained that the threat actors disguised these packages as developer tools offering “the cheapest Cursor API.” As a result, the packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor’s main.js file, and disable auto-updates to maintain persistence.
The packages in question include:
Despite their malicious behavior, all three packages remain available for download from the npm registry. “Aiide-cur” first appeared on February 14, 2025, uploaded by a user named “aiide.” The npm library claims to be a “command-line tool for configuring the macOS version of the Cursor editor.”
Meanwhile, the other two npm packages appeared a day earlier. A threat actor using the alias “gtr2018” published them, according to the software supply chain security firm. Altogether, users have downloaded the three npm packages more than 3,200 times to date.
Once installed, these libraries harvest user-supplied Cursor credentials and retrieve a second-stage payload from remote servers like t.sw2031[.]com or api.aiide[.]xyz. That payload then replaces legitimate Cursor-specific code with malicious logic.
Additionally, “sw-cur” disables Cursor’s auto-update mechanism and terminates all running Cursor processes. Afterward, the npm packages restart the application to activate the patched code, allowing the threat actor to execute arbitrary code within the platform’s context.
Boychenko emphasized that this campaign underscores a growing supply chain threat. Increasingly, threat actors exploit malicious patches to compromise trusted local software.
Notably, the attackers appear to target developers who seek AI functionality and cheaper access to AI models. The tagline “the cheapest Cursor API” likely appeals to this group by promising savings while silently deploying a backdoor, the researcher noted.
This disclosure coincides with another discovery by Socket. Researchers uncovered two additional npm packages—pumptoolforvolumeandcomment and debugdogs—that deliver an obfuscated payload. This payload siphons cryptocurrency keys, wallet files, and trading data tied to a platform named BullX on macOS systems. The attackers exfiltrate the captured data via a Telegram bot.
So far, users have downloaded pumptoolforvolumeandcomment 625 times, while debugdogs has received 119 downloads. A user named “olumideyo” published both packages to npm in September 2024.
Security researcher Kush Pandya explained that “debugdogs” simply invokes pumptoolforvolumeandcomment, serving as a convenient secondary infection method. This “wrapper” technique reinforces the core attack and allows wider distribution under different names.
“This highly targeted attack can empty wallets and expose sensitive credentials and trading data in seconds,” Pandya warned.
Npm Package “rand-user-agent” Compromised in Supply Chain Attack
This discovery also follows a report from Aikido, which uncovered a supply chain attack that Compromised a legitimate npm package named “rand-user-agent“ by Injecting code that Conceals a remote access trojan (RAT). Security teams identified versions 2.0.83, 2.0.84, and 1.0.110 as Malicious.
According to security researcher Charlie Eriksen, the threat actors crafted the newly released versions to establish communication with an external server. Once connected, the malware receives commands that allow it to change the current working directory, upload files, and execute shell commands. Security teams detected the compromise on May 5, 2025.
As of now, the npm Registry has marked the package as deprecated, and the associated GitHub repository has been taken down, Redirecting visitors to a 404 error page.
However, researchers still don’t know how Attackers Breached the npm package to make these Unauthorized Modifications. Users who Upgraded to versions 2.0.83, 2.0.84, or 1.0.110 should Downgrade immediately to the last known safe version, 2.0.82, which was released seven months ago. That said, Reverting the package version does not eliminate the malware already present on infected systems.
Source: TheHackerNews
Read more at Impreza News
