Full Report
Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor. "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's
Analysis Summary
# Incident Report: Malicious npm Packages Targeting Cursor Editor and Other Dev Tools
## Executive Summary
Multiple malicious npm packages were identified targeting developers through supply chain attacks. One set specifically targeted the Cursor IDE on macOS by stealing credentials and installing backdoors disguised as cheap API tools. Separately, other packages were found stealing cryptocurrency credentials and injecting a Remote Access Trojan (RAT) into a legitimate package, highlighting a pervasive threat in the developer ecosystem.
## Incident Details
- Discovery Date: May 09, 2025 (General timeframe of reporting)
- Incident Date: Initial packages published as early as February 14, 2025 (Cursor packages); September 2024 (Crypto packages); RAT compromise detected May 5, 2025.
- Affected Organization: Developers using the Cursor IDE on macOS, and users of compromised npm libraries (e.g., `rand-user-agent`).
- Sector: Software Development / Cybersecurity
- Geography: Global (npm registry users, primarily macOS targets noted)
## Timeline of Events
### Initial Access
- **Date/Time (Cursor):** Packages published February 13-14, 2025.
- **Vector (Cursor):** Malicious npm packages (`sw-cur`, `sw-cur1`, `aiide-cur`) disguised as tools offering "the cheapest Cursor API."
- **Details (Cursor):** Packages were downloaded over 3,200 times in total.
### Lateral Movement
- **(Cursor):** Once installed, packages fetched an encrypted payload from actor-controlled infrastructure (`t.sw2031[.]com` or `api.aiide[.]xyz`).
- **(Cursor):** The script overwrote Cursor's legitimate `main.js` file with malicious logic to execute arbitrary code within the editor context.
- **(Crypto Attack):** `debugdogs` invoked `pumptoolforvolumeandcomment` to execute the core malicious purpose.
- **(RAT Attack):** Compromised versions of `rand-user-agent` establish C2 communication to receive remote commands.
### Data Exfiltration/Impact
- **(Cursor):** Stole user-supplied Cursor credentials.
- **(Crypto Attack):** Siphoned cryptocurrency keys, wallet files, and trading data related to the BullX platform, exfiltrated to a Telegram bot.
- **(RAT Attack):** Established remote access capabilities (changing CWD, uploading files, executing shell commands).
### Detection & Response
- **(Cursor):** Detected and reported by Socket researchers (Kirill Boychenko).
- **(RAT Attack):** Compromise detected on May 5, 2025 (reported May 9, 2025).
- **Response (RAT):** The affected `rand-user-agent` package was marked deprecated, and its GitHub repository was taken down (redirecting to 404).
## Attack Methodology
- **Initial Access:** Supply chain compromise via malicious npm packages. The Cursor packages lured developers interested in saving money on AI API costs.
- **Persistence:** Cursor packages explicitly disabled Cursor's auto-update mechanism after patching the application files.
- **Privilege Escalation:** Not explicitly detailed, but execution occurred within the context of the user's running editor process.
- **Defense Evasion:** Likely achieved through obfuscation (noted in the crypto attack) and execution within trusted software update channels.
- **Credential Access:** Direct harvesting of Cursor credentials; theft of cryptocurrency keys/wallet files in the BullX compromise.
- **Discovery:** Not explicitly detailed, but implied reconnaissance needed for C2 communication setup.
- **Lateral Movement:** N/A (Focus was direct compromise/endpoint control).
- **Collection:** Gathering editor credentials or crypto wallet data.
- **Exfiltration:** To infrastructure controlled by the threat actor (Cursor payloads) or via a Telegram bot (Crypto data).
- **Impact:** Execution of arbitrary code, credential theft, complete compromise of crypto assets.
## Impact Assessment
- **Financial:** Potential for significant financial loss due to cryptocurrency theft.
- **Data Breach:** Sensitive developer credentials (Cursor) and cryptocurrency trading data/keys.
- **Operational:** Disruption to developer workflow due to compromised tools, though scope of internal network infections is unknown.
- **Reputational:** Low public impact thus far, but underscores major trust issues within the software supply chain.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- `t.sw2031[.]com`
- `api.aiide[.]xyz`
- **File Indicators:**
- Overwritten Cursor file: `main.js` (inside the application bundle)
- **Behavioral Indicators:**
- Disabling auto-update features in the Cursor application.
- Connection to external command-and-control servers post-install.
- Exfiltration of data via Telegram bots (for crypto attack).
- Malicious versions of `rand-user-agent`: 2.0.83, 2.0.84, 1.0.110.
## Response Actions
- **Containment:** Immediate removal/deprecating of the malicious npm packages from the registry (for `dpump` and `debugdogs`, and presumably the Cursor-targeting ones). Advising users to uninstall compromised packages.
- **Eradication:** Users needed to downgrade `rand-user-agent` to version 2.0.82. For Cursor users, manual verification and restoration of the `main.js` file and re-enabling auto-updates would be required.
- **Recovery:** Assessing organizational systems for signs of the C2 communication or persistence mechanisms derived from the payloads.
## Lessons Learned
- **Lure Effectiveness:** Threat actors are successfully exploiting developer interest in efficiency (AI tools) and cost reduction (cheaper APIs) to drive initial malicious adoption.
- **Supply Chain Depth:** Attacks increasingly involve malicious patches or modifications to legitimate, trusted libraries (`rand-user-agent` exploit).
- **Persistence Techniques:** Disabling security features like auto-updates is a critical step used by attackers to maintain backdoors.
## Recommendations
- Implement robust dependency scanning and verification for all integrated npm packages before deployment.
- Developers should strictly vet packages offering unofficial "discounts" or unusual configurations for high-value tools like AI IDEs.
- Utilize hardened development environments that restrict network egress for development tools, preventing unknown C2 beaconing.
- For developers using the compromised `rand-user-agent`, downgrade immediately to the last safe version (2.0.82) and run forensic scans, recognizing that downgrading alone does not remove the malware.