Security researchers have flagged three harmful node packages that are designed to target the Apple macOS type of Cursor, a popular artificial intelligence ( AI)-powered source code writer.
” Disguised as developer equipment offering’the cheapest Cursor API,’ these packages steal consumer credentials, grab an encrypted cargo from danger actor-controlled infrastructure, overwrite Cursor’s key. java file, and delete auto-updates to keep persistence,” Socket scientist Kirill Boychenko .
The deals in issue are listed below-
All three plans continue to be available for download from the node registration. ” Aiide-cur” was first published on February 14, 2025. It was uploaded by a person named “aiide. ” The npm library is described as a” command-line tool for configuring the mac version of the Cursor editor. “
The other two packages, per the program provide network security agency, were published a day before by a threat actor under the name “gtr2018. ” In total, the three items have been installed over 3,200 occasions to day.
The libraries, once installed, are designed to harvest user-supplied Cursor credentials and fetch a next-stage payload from a remote server ( “t. sw2031[. ]com” or “api. aiide[. ]xyz” ), which is then used to replace a legitimate Cursor-specific code with malicious logic.
” Sw-cur” furthermore takes the action of disabling Cursor’s auto-update process and ending all Cursor techniques. The node packages then proceed to resume the program so that the fixed script takes effect, granting the danger professional to execute arbitrary code within the context of the platform.
The results point to an emerging trend where threat actors are using harmful packages as a way to create destructive modifications to other legitimate libraries or software previously installed on designer systems.
This is significant not least because it adds a new layer of sophistication by allowing the malware to persist even after the nefarious libraries have been removed, requiring developers to perform a clean install of the altered software again.
” Patch‑based compromise is a new and a powerful addition to the threat actor arsenal targeting open-source supply chains: Instead ( or in addition ) of slipping malware into a package manager, attackers publish a seemingly harmless npm package that rewrites code already trusted on the victim’s machine,” Socket told The Hacker News.
” By operating inside a legitimate parent process– an IDE or shared library– the malicious logic inherits the application’s trust, maintains persistence even after the offending package is removed, and automatically gains whatever privileges that software holds, from API tokens and signing keys to outbound network access. “
” This campaign highlights a growing supply chain threat, with threat actors increasingly using to compromise trusted local software,” Boychenko said.
The selling point here is that the attackers are attempting to exploit developers ‘ interest in AI as well as those who are looking for cheaper usage fees for access to AI models.
” The threat actor’s use of the tagline’the cheapest Cursor AP I’ likely targets this group, luring users with the promise of discounted access while quietly deploying a backdoor,” the researcher added.
To counter such novel supply chain threats, defenders are required to flag packages that run postinstall scripts, modify files outside node_modules, or initiate unexpected network calls, and combining those indicators with rigorous version pinning, real‑time dependency scanning, and file‑integrity monitoring on critical dependencies.
The disclosure comes as Socket uncovered two other npm packages – pumptoolforvolumeandcomment and debugdogs – to deliver an obfuscated payload that siphons cryptocurrency keys, wallet files, and trading data related to a cryptocurrency platform named BullX on and macOS systems. The captured data is exfiltrated to a Telegram bot.
While “pumptoolforvolumeandcomment” has been downloaded 625 times, “debugdogs” have received a total of 119 downloads since they were both published to npm in September 2024 by a user named “olumideyo. “
” Debugdogs simply invokes pumptoolforvolumeandcomment, making it a convenient secondary infection payload,” security researcher Kush Pandya . ” This’wrapper’ pattern doubles down on the main attack, making it easier to spread under multiple names without changing the core malicious code. “
” This highly targeted attack can empty wallets and expose sensitive credentials and trading data in seconds. “
Npm Package “rand-user-agent” Compromised in Supply Chain Attack
The discovery also follows a <a href="https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian–supply-chain-compromise” rel=”noopener” target=”_blank”>report from Aikido about a supply chain attack that has compromised a legitimate npm package called “” to inject code that conceals a remote access trojan (RAT ). Versions 2. 0. 83, 2. 0. 84, and 1. 0. 110 have been found to be malicious.
The newly released versions, per security researcher Charlie Eriksen, are designed to establish communications with an external server to receive commands that allow it to change the current working directory, upload files, and execute shell commands. The compromise was detected on May 5, 2025.
At the time of writing, the npm package has been marked deprecated and the associated is also no longer accessible, redirecting users to a 404 page.
It’s currently not clear how the npm package was breached to make the unauthorized modifications. Users who have upgraded to 2. 0. 83, 2. 0. 84, or 1. 0. 110 are advised to downgrade it back to the last safe version released seven months ago ( 2. 0. 82 ). However, doing so does not remove the malware from the system.