Cybersecurity researchers have flagged three malicious NPM packages designed to target the Apple MacOS version of Cursor, a source code editor powered by the popular AI (AI).
Troubled with developer tools that provide the “cheapest cursor API” these packages steal user credentials, get encrypted payloads from threat actor control infrastructure, overwrite the cursor’s main file, maintain persistence, disable autoconfiguration, and maintain tenacity.
The package in question is listed below –
All three packages can be downloaded from the NPM registry. “Aiide-Cur” was first released on February 14th, 2025. Uploaded by a user named “Aiide”. The NPM library is described as a “command line tool for configuring the MACOS version of the cursor editor.”
According to the software supply chain security company, the other two packages were released one day ago by threat actors under the alias “GTR2018.” In total, the three packages have been downloaded over 3,200 times so far.
The installed libraries are designed to harvest user-supported cursor credentials and retrieve the next stepped payload from the remote server (“T.SW2031(.)com” or “api.aiide(.)xyz”).
“SW-CUR” takes the first step of disabling the automatic cursor update mechanism and terminating all cursor processes. The NPM package proceeds to restarting the application so that the patched code is enabled, allowing threat actors to execute arbitrary code within the context of the platform.
The findings point to an emerging trend in which threat actors use the Rogue NPM package as a way for threat actors to introduce malicious changes to other legitimate libraries or software already installed on their developer systems.
This is especially because it adds a new layer of refinement, as developers need to perform a clean install of the modified software again, allowing the malware to last even after the creepy libraries are removed.
“The patch-based compromise is a new and powerful addition to Arsenal, a threat actor targeting the open source supply chain. Instead, attackers who (or add) the malware to the package manager will expose seemingly harmless NPM packages that have been rewritten of the already trusted code on the victim’s machine,” Socket told HackerNews.
“IDEs or shared libraries – By operating within a legal parent process, malicious logic inherits the trust of the application, maintains persistence even after the problematic package is removed, and automatically gains the privilege to sign outbound network access from API tokens and key signatures.”
“This campaign highlights the growing supply chain threat, prompting threat actors to use malicious patches to compromise on trustworthy local software,” Boychenko said.
The selling point here is that attackers are trying to take advantage of developers’ benefits for AI and those looking for cheaper royalties to access AI models.
“The use of the threat actor’s catchphrase, “The Cheap Cursor API,” may be targeting this group, seducing users with the promise of discounted access while quietly unfolding the backdoor,” the researchers added.
To combat such new supply chain threats, defenders should flag packages that run post-install scripts, modify files other than node_modules, or initiate unexpected network calls, and combine those indicators with strict version pinning, real-time dependency scans, and file statistics monitoring for critical dependencies.
This disclosure occurred because sockets discovered two other NPM packages (Pumptoolforvolumeand and Debugdogs) and provided an obfuscated payload that siphoned off cryptocurrency keys, wallet files, and trading data related to a cryptocurrency platform called Macos Systems. The captured data is surrounded by telegram bots.
“Pumptoolforvolumeandcomment” was downloaded 625 times, but “Debugdogs” was published to NPM in September 2024 by a user named Olumideyo, resulting in a total of 119 downloads.
“DebugDogs simply calls Pumptoolforvolumeand Commment, which makes it a convenient payload for secondary infections,” said security researcher Kush Pandya. “This ‘wrapper’ pattern doubles in the main attack, making it easier to spread the malicious code in the core over multiple names without changing it. ”
“This highly targeted attack could empty your wallet and reveal sensitive credentials and transaction data in seconds.”
“Rand-User-Agent” NPM package compromised in a supply chain attack
The discovery continues in Aikido’s report on supply chain attacks that compromise legitimate NPM packages called “Rand-User-Agent” and inject code that hides Remote Access Trojans (RATs). Versions 2.0.83, 2.0.84, and 1.0.110 are known to be malicious.
A newly released version for each security researcher Charlie Eriksen is designed to establish communication with external servers, change current working directory, upload files, and receive commands that allow you to execute shell commands. The compromise was detected on May 5, 2025.
At the time of writing, the NPM package has been removed, and the associated GitHub repository is no longer accessible, redirecting users to 404 pages.
It is currently unclear how the NPM package was violated to make unauthorized changes. Users who upgrade to 2.0.83, 2.0.84, or 1.0.110 are advised to downgrade to the last safe version (2.0.82) released seven months ago. However, doing so will not remove malware from your system.
update
WebScrapingapi, which maintains the library, told SecurityWeek that an unknown threat actor has released a malicious package version after obtaining an outdated automation token that is not protected by two-factor authentication.
