Cybersecurity researchers have flagged three malicious npm packages which are designed to focus on the Apple macOS model of Cursor, a well-liked synthetic intelligence (AI)-powered supply code editor.
“Disguised as developer instruments providing ‘the most affordable Cursor API,’ these packages steal person credentials, fetch an encrypted payload from menace actor-controlled infrastructure, overwrite Cursor’s major.js file, and disable auto-updates to take care of persistence,” Socket researcher Kirill Boychenko mentioned.
The packages in query are listed beneath –
All three packages proceed to be obtainable for obtain from the npm registry. “Aiide-cur” was first revealed on February 14, 2025. It was uploaded by a person named “aiide.” The npm library is described as a “command-line software for configuring the macOS model of the Cursor editor.”
The opposite two packages, per the software program provide chain safety agency, had been revealed a day earlier by a menace actor beneath the alias “gtr2018.” In complete, the three packages have been downloaded over 3,200 instances to this point.
The libraries, as soon as put in, are designed to reap user-supplied Cursor credentials and fetch a next-stage payload from a distant server (“t.sw2031[.]com” or “api.aiide[.]xyz”), which is then used to interchange a reputable Cursor-specific code with malicious logic.
“Sw-cur” additionally takes the step of disabling Cursor’s auto-update mechanism and terminating all Cursor processes. The npm packages then proceed to restart the appliance in order that the patched code takes impact, granting the menace actor to execute arbitrary code throughout the context of the platform.
The findings level to an rising development the place menace actors are utilizing malicious packages as a technique to introduce malicious modifications to different reputable libraries or software program already put in on developer methods.
That is important not least as a result of it provides a brand new layer of sophistication by permitting the malware to persist even after the nefarious libraries have been eliminated, requiring builders to carry out a clear set up of the altered software program once more.
“Patch‑based mostly compromise is a brand new and a strong addition to the menace actor arsenal focusing on open-source provide chains: As a substitute (or as well as) of slipping malware right into a bundle supervisor, attackers publish a seemingly innocent npm bundle that rewrites code already trusted on the sufferer’s machine,” Socket advised The Hacker Information.
“By working inside a reputable guardian course of — an IDE or shared library — the malicious logic inherits the appliance’s belief, maintains persistence even after the offending bundle is eliminated, and mechanically positive factors no matter privileges that software program holds, from API tokens and signing keys to outbound community entry.”
“This marketing campaign highlights a rising provide chain menace, with menace actors more and more utilizing malicious patches to compromise trusted native software program,” Boychenko mentioned.
The promoting level right here is that the attackers try to use builders’ curiosity in AI in addition to those that are in search of cheaper utilization charges for entry to AI fashions.
“The menace actor’s use of the tagline ‘the most affordable Cursor API’ probably targets this group, luring customers with the promise of discounted entry whereas quietly deploying a backdoor,” the researcher added.
To counter such novel provide chain threats, defenders are required to flag packages that run postinstall scripts, modify information outdoors node_modules, or provoke sudden community calls, and mixing these indicators with rigorous model pinning, actual‑time dependency scanning, and file‑integrity monitoring on vital dependencies.
The disclosure comes as Socket uncovered two different npm packages – pumptoolforvolumeandcomment and debugdogs – to ship an obfuscated payload that siphons cryptocurrency keys, pockets information, and buying and selling knowledge associated to a cryptocurrency platform named BullX on and macOS methods. The captured knowledge is exfiltrated to a Telegram bot.
Whereas “pumptoolforvolumeandcomment” has been downloaded 625 instances, “debugdogs” have acquired a complete of 119 downloads since they had been each revealed to npm in September 2024 by a person named “olumideyo.”
“Debugdogs merely invokes pumptoolforvolumeandcomment, making it a handy secondary an infection payload,” safety researcher Kush Pandya mentioned. “This ‘wrapper’ sample doubles down on the primary assault, making it simpler to unfold beneath a number of names with out altering the core malicious code.”
“This extremely focused assault can empty wallets and expose delicate credentials and buying and selling knowledge in seconds.”
Npm Bundle “rand-user-agent” Compromised in Provide Chain Assault
The invention additionally follows a report from Aikido a couple of provide chain assault that has compromised a reputable npm bundle referred to as “rand-user-agent” to inject code that conceals a distant entry trojan (RAT). Variations 2.0.83, 2.0.84, and 1.0.110 have been discovered to be malicious.
The newly launched variations, per safety researcher Charlie Eriksen, are designed to ascertain communications with an exterior server to obtain instructions that enable it to alter the present working listing, add information, and execute shell instructions. The compromise was detected on Might 5, 2025.
On the time of writing, the npm bundle has been marked deprecated and the related GitHub repository can also be now not accessible, redirecting customers to a 404 web page.
It is presently not clear how the npm bundle was breached to make the unauthorized modifications. Customers who’ve upgraded to 2.0.83, 2.0.84, or 1.0.110 are suggested to downgrade it again to the final secure model launched seven months in the past (2.0.82). Nevertheless, doing so doesn’t take away the malware from the system.
