Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor.
“Disguised as developer tools offering ‘the cheapest Cursor API,’ these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor’s main.js file, and disable auto-updates to maintain persistence,” Socket researcher Kirill Boychenko said.
The packages in question are listed below –
All three packages continue to be available for download from the npm registry. “Aiide-cur” was first published on February 14, 2025. It was uploaded by a user named “aiide.” The npm library is described as a “command-line tool for configuring the macOS version of the Cursor editor.”
The other two packages, per the software supply chain security firm, were published a day earlier by a threat actor under the alias “gtr2018.” In total, the three packages have been downloaded over 3,200 times to date.
The libraries, once installed, are designed to harvest user-supplied Cursor credentials and fetch a next-stage payload from a remote server (“t.sw2031[.]com” or “api.aiide[.]xyz”), which is then used to replace a legitimate Cursor-specific code with malicious logic.
“Sw-cur” also takes the step of disabling Cursor’s auto-update mechanism and terminating all Cursor processes. The npm packages then proceed to restart the application so that the patched code takes effect, granting the threat actor to execute arbitrary code within the context of the platform.
“This campaign highlights a growing supply chain threat, with threat actors increasingly using malicious patches to compromise trusted local software,” Boychenko said.
The selling point here is that the attackers are attempting to exploit developers’ interest in AI as well as those who are looking for cheaper usage fees for access to AI models.
“The threat actor’s use of the tagline ‘the cheapest Cursor API’ likely targets this group, luring users with the promise of discounted access while quietly deploying a backdoor,” the researcher added.
The disclosure comes as Socket uncovered two other npm packages – pumptoolforvolumeandcomment and debugdogs – to deliver an obfuscated payload that siphons cryptocurrency keys, wallet files, and trading data related to a cryptocurrency platform named BullX on and macOS systems. The captured data is exfiltrated to a Telegram bot.
While “pumptoolforvolumeandcomment” has been downloaded 625 times, “debugdogs” have received a total of 119 downloads since they were both published to npm in September 2024 by a user named “olumideyo.”
“Debugdogs simply invokes pumptoolforvolumeandcomment, making it a convenient secondary infection payload,” security researcher Kush Pandya said. “This ‘wrapper’ pattern doubles down on the main attack, making it easier to spread under multiple names without changing the core malicious code.”
“This highly targeted attack can empty wallets and expose sensitive credentials and trading data in seconds.”
Npm Package “rand-user-agent” Compromised in Supply Chain Attack
The discovery also follows a report from Aikido about a supply chain attack that has compromised a legitimate npm package called “rand-user-agent” to inject code that conceals a remote access trojan (RAT). Versions 2.0.83, 2.0.84, and 1.0.110 have been found to be malicious.
The newly released versions, per security researcher Charlie Eriksen, are designed to establish communications with an external server to receive commands that allow it to change the current working directory, upload files, and execute shell commands. The compromise was detected on May 5, 2025.
At the time of writing, the npm package has been marked deprecated and the associated GitHub repository is also no longer accessible, redirecting users to a 404 page.
It’s currently not clear how the npm package was breached to make the unauthorized modifications. Users who have upgraded to 2.0.83, 2.0.84, or 1.0.110 are advised to downgrade it back to the last safe version released seven months ago (2.0.82). However, doing so does not remove the malware from the system.
