Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor.
“Disguised as developer tools offering ‘the cheapest Cursor API,’ these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor’s main.js file, and disable auto-updates to maintain persistence,” Socket researcher Kirill Boychenko said.
The packages in question are listed below –
All three packages continue to be available for download from the npm registry. “Aiide-cur” was first published on February 14, 2025. It was uploaded by a user named “aiide.” The npm library is described as a “command-line tool for configuring the macOS version of the Cursor editor.”
The other two packages, per the software supply chain security firm, were published a day earlier by a threat actor under the alias “gtr2018.” In total, the three packages have been downloaded over 3,200 times to date.
The libraries, once installed, are designed to harvest user-supplied Cursor credentials and fetch a next-stage payload from a remote server (“t.sw2031[.]com” or “api.aiide[.]xyz”), which is then used to replace a legitimate Cursor-specific code with malicious logic.
“Sw-cur” also takes the step of disabling Cursor’s auto-update mechanism and terminating all Cursor processes. The npm packages then proceed to restart the application so that the patched code takes effect, granting the threat actor to execute arbitrary code within the context of the platform.
The findings point to an emerging trend where threat actors are using rogue npm packages as a way to introduce malicious modifications to other legitimate libraries or software already installed on developer systems.
This is significant not least because it adds a new layer of sophistication by allowing the malware to persist even after the nefarious libraries have been removed, requiring developers to perform a clean install of the altered software again.
“Patch‑based compromise is a new and a powerful addition to the threat actor arsenal targeting open-source supply chains: Instead (or in addition) of slipping malware into a package manager, attackers publish a seemingly harmless npm package that rewrites code already trusted on the victim’s machine,” Socket told The Hacker News.
“By operating inside a legitimate parent process — an IDE or shared library — the malicious logic inherits the application’s trust, maintains persistence even after the offending package is removed, and automatically gains whatever privileges that software holds, from API tokens and signing keys to outbound network access.”
“This campaign highlights a growing supply chain threat, with threat actors increasingly using malicious patches to compromise trusted local software,” Boychenko said.
The selling point here is that the attackers are attempting to exploit developers’ interest in AI as well as those who are looking for cheaper usage fees for access to AI models.
“The threat actor’s use of the tagline ‘the cheapest Cursor API’ likely targets this group, luring users with the promise of discounted access while quietly deploying a backdoor,” the researcher added.
To counter such novel supply chain threats, defenders are required to flag packages that run postinstall scripts, modify files outside node_modules, or initiate unexpected network calls, and combining those indicators with rigorous version pinning, real‑time dependency scanning, and file‑integrity monitoring on critical dependencies.
The disclosure comes as Socket uncovered two other npm packages – pumptoolforvolumeandcomment and debugdogs – to deliver an obfuscated payload that siphons cryptocurrency keys, wallet files, and trading data related to a cryptocurrency platform named BullX on and macOS systems. The captured data is exfiltrated to a Telegram bot.
While “pumptoolforvolumeandcomment” has been downloaded 625 times, “debugdogs” have received a total of 119 downloads since they were both published to npm in September 2024 by a user named “olumideyo.”
“Debugdogs simply invokes pumptoolforvolumeandcomment, making it a convenient secondary infection payload,” security researcher Kush Pandya said. “This ‘wrapper’ pattern doubles down on the main attack, making it easier to spread under multiple names without changing the core malicious code.”
“This highly targeted attack can empty wallets and expose sensitive credentials and trading data in seconds.”
Npm Package “rand-user-agent” Compromised in Supply Chain Attack
The discovery also follows a report from Aikido about a supply chain attack that has compromised a legitimate npm package called “rand-user-agent” to inject code that conceals a remote access trojan (RAT). Versions 2.0.83, 2.0.84, and 1.0.110 have been found to be malicious.
The newly released versions, per security researcher Charlie Eriksen, are designed to establish communications with an external server to receive commands that allow it to change the current working directory, upload files, and execute shell commands. The compromise was detected on May 5, 2025.
At the time of writing, the npm package has been marked deprecated and the associated GitHub repository is also no longer accessible, redirecting users to a 404 page.
It’s currently not clear how the npm package was breached to make the unauthorized modifications. Users who have upgraded to 2.0.83, 2.0.84, or 1.0.110 are advised to downgrade it back to the last safe version released seven months ago (2.0.82). However, doing so does not remove the malware from the system.
Update
WebScrapingAPI, which maintains the library, told SecurityWeek that the unknown threat actors published the malicious package versions after obtaining an outdated automation token that was not protected by two-factor authentication.
