https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos
Security researchers have uncovered a sophisticated attack targeting users of Cursor, a popular AI-powered code editor for macOS. Three malicious npm packages, which remain available for download, have collectively infected more than 3,200 developers with a backdoor that steals credentials and maintains persistent access to compromised systems.
The packages, identified by Socket security researcher Kirill Boychenko, are disguised as developer tools offering discounted access to Cursor’s API services. Named “sw-cur” (2,771 downloads), “sw-cur1” (307 downloads), and “aiide-cur” (163 downloads), these libraries employ an innovative technique that modifies legitimate software already installed on victim systems.
“Disguised as developer tools offering ‘the cheapest Cursor API,’ these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor’s main.js file, and disable auto-updates to maintain persistence,” Boychenko explained.
The malware operates in multiple stages. After installation, it harvests Cursor login credentials provided by users and connects to remote command servers at “t.sw2031.com” or “api.aiide.xyz” to download additional malicious code. This payload then replaces legitimate Cursor components and disables the editor’s auto-update functionality to ensure persistence. Finally, the packages restart the application to activate their changes, giving attackers the ability to execute arbitrary code within the trusted editor environment.
What makes this attack particularly concerning is its persistence mechanism. According to Socket, “By operating inside a legitimate parent process—an IDE or shared library—the malicious logic inherits the application’s trust, maintains persistence even after the offending package is removed, and automatically gains whatever privileges that software holds, from API tokens and signing keys to outbound network access.”
The attackers appear to be exploiting developers’ interest in artificial intelligence tools, specifically targeting those seeking more affordable access to AI coding capabilities. “The threat actor’s use of the tagline ‘the cheapest Cursor API’ likely targets this group, luring users with the promise of discounted access while quietly deploying a backdoor,” noted Boychenko.
It is recommended that development teams implement multiple protective measures against such supply chain threats, including flagging packages that run post-installation scripts, modify files outside the node_modules directory, or initiate unexpected network connections. They also suggest rigorous version pinning, real-time dependency scanning, and file integrity monitoring for critical dependencies.
This attack represents part of a broader trend. Socket researchers have discovered similar techniques being used in other malicious npm packages including “pumptoolforvolumeandcomment” and “debugdogs,” which target cryptocurrency users. Additionally, Aikido security researchers recently reported a supply chain attack affecting the legitimate “rand-user-agent” npm package, which was compromised to distribute a remote access trojan across multiple versions.