Security Breach: Over 3,200 Cursor Users Compromised by Malicious npm Packages with Backdoor Threats and Credential Theft

Cybersecurity experts have identified three malicious npm packages aimed specifically at the macOS version of Cursor, a widely used artificial intelligence (AI)-led source code editor. These packages masquerade as developer tools that promise “the cheapest Cursor API,” while performing malicious actions such as stealing user credentials, downloading an encrypted payload from servers controlled by threat actors, overwriting the main.js file of Cursor, and disabling auto-updates to ensure persistent access.

The identified malicious packages include:

– sw-cur (2,771 downloads)
– sw-cur1 (307 downloads)
– aiide-cur (163 downloads)

All three packages remain downloadable from the npm registry. “Aiide-cur” was first made available on February 14, 2025, by a user identified as “aiide” and is characterized as a command-line tool for configuring the macOS version of the Cursor editor.

The other two packages were published a day earlier by a threat actor known by the alias “gtr2018,” with the total download count exceeding 3,200 times across the three packages.

Upon installation, these libraries are programmed to gather user-provided Cursor credentials and retrieve a next-stage payload from remote servers, specifically “t.sw2031[.]com” or “api.aiide[.]xyz.” This payload replaces legitimate Cursor code with malicious instructions. Additionally, “sw-cur” forbids Cursor from auto-updating and terminates all running Cursor processes before restarting the application, thus enabling the threat actor to execute arbitrary code within the software environment.

These findings highlight an emerging trend where malicious packages are used to introduce harmful alterations to existing legitimate software on developer systems. The sophistication of this attack vector means that even after the malicious packages have been removed, their effects can persist, requiring developers to perform a complete installation of the affected software.

The method of “patch-based compromise” represents a powerful addition to threat actors’ strategies targeting open-source supply chains. Rather than embedding malware directly into a package, attackers are now distributing seemingly innocuous npm packages that rewrite code already deemed trustworthy on users’ systems. This approach takes advantage of the inherent trust that applications and libraries enjoy, maintaining persistent access and seizing whatever permissions those applications hold.

This campaign illustrates the escalating supply chain threat where threat actors are increasingly manipulating libraries to compromise trusted local software. The attackers’ strategy is to leverage developers’ interest in affordable AI solutions, using enticing language such as “the cheapest Cursor API” to attract victims while stealthily deploying a backdoor.

To mitigate such emerging supply chain threats, it is imperative for defenders to monitor npm packages that execute post-install scripts, alter files beyond the node_modules directory, or initiate unexpected network activity. Implementing version pinning, real-time dependency scanning, and file-integrity monitoring on crucial dependencies is essential for enhancing security.

Further insights have emerged from Socket’s research revealing two additional malicious npm packages, “pumptoolforvolumeandcomment” and “debugdogs,” which deliver an obfuscated payload to extract cryptocurrency keys, wallet files, and trading information linked to the BullX platform on macOS systems. The exfiltrated data is sent to a Telegram bot.

The “pumptoolforvolumeandcomment” package has seen 625 downloads, while “debugdogs” has garnered 119 downloads since they were introduced in September 2024 by a user named “olumideyo.” The “debugdogs” package operates as a secondary infection vector, invoking “pumptoolforvolumeandcomment,” thus facilitating the spread of the attack under various identities without modifying the core malicious code. This highly targeted assault can rapidly drain cryptocurrency wallets and expose confidential credentials and trading data.

In a related context, concerns have been raised regarding a compromised npm package named “rand-user-agent.” Malicious modifications in versions 2.0.83, 2.0.84, and 1.0.110 have been identified, allowing the injection of a remote access trojan (RAT) capable of communicating with external servers to receive commands for file uploads, directory changes, and command execution. This breach, discovered on May 5, 2025, has led to the immediate deprecation of the npm package, with its associated GitHub repository now inaccessible.

Users who have upgraded to the affected versions are advised to revert to a previously safe version (2.0.82), although this action does not eliminate the malware from affected systems. The method by which the npm package was compromised remains uncertain, warranting ongoing scrutiny and vigilance from the developer community.