Malicious npm packages hijack macOS Cursor AI IDE

The Socket Threat Research Team has uncovered a sophisticated supply chain attack targeting macOS developers using the Cursor AI code editor. Three malicious npm packages-sw-cur, sw-cur1, and aiide-cur-have been identified as backdoors that compromise the integrity of the Cursor IDE by stealing credentials, injecting persistent malware, and disabling security updates. This incident highlights an alarming evolution in npm-based attacks, where threat actors directly backdoor developer tools to gain long-term access and control.

Attack overview

Published under the npm aliases gtr2018 and aiide, and linked to email addresses such as 404228858@qq[.]com and touzi_xiansheng@outlook[.]com, the malicious packages masquerade as developer utilities offering “the cheapest Cursor API” – a bait targeting developers seeking to reduce AI usage fees in Cursor. By the time of discovery, these packages had been downloaded over 3,200 times and remain active on the npm registry.

The attack specifically targets the macOS installation of Cursor by modifying critical internal files, notably the main.js file located at:

/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.j

This file is overwritten with attacker-controlled code, enabling the execution of a backdoor within the trusted runtime environment of the IDE.

Technical Analysis

Infection and payload delivery

1. Credential Harvesting
   Upon installation, the malicious script intercepts user credentials supplied to Cursor and exfiltrates them via HTTP GET requests to command-and-control (C2) servers such as:
   • cursor.sw2031.com/api/login (for sw-cur and sw-cur1)
   • aiide.xyz/api/login (for aiide-cur)
   The credentials are URL-encoded and sent alongside a timestamp to evade simple detection.
2. Second-Stage Payload Retrieval
   The script downloads an AES-encrypted, gzip-compressed secondary payload from attacker-controlled domains (t.sw2031.com or api.aiide.xyz). The payload is decrypted using a hardcoded 32-byte AES key: texta8f2e9c4b7d6m3k5n1p0q9r8s7t6u5v4
3. Backdoor Injection and Persistence
   The decrypted payload replaces the original main.js file after backing it up. This trojanized version embeds the stolen credentials and injects attacker logic to maintain persistent access. Notably, the sw-cur package disables Cursor’s auto-update mechanism and terminates related processes (chrome_crashpad_handler and Cursor itself) to ensure the malicious code loads on the next launch. The other variants prompt the user to restart Cursor, activating the backdoor without disabling updates.

Implications for developers and organizations

• Credential Theft and Service Abuse: Stolen Cursor credentials can be abused to access paid AI services, potentially incurring financial damage or service disruption.
• Codebase Exposure: Since the backdoor runs with user privileges inside the IDE, it can exfiltrate source code, inject malicious dependencies, or execute arbitrary code within development environments.
• Supply Chain Risks: This attack exemplifies the growing threat of supply chain compromises via npm, where malicious packages stealthily patch trusted software used by developers.
• Persistence and Detection Evasion: Disabling auto-updates and embedding within a trusted IDE runtime complicates detection and remediation, allowing prolonged attacker presence.

Recommendations

• Immediate Remediation: Developers should uninstall the compromised packages and restore Cursor from a verified, clean installer.
• Credential Rotation: All credentials related to Cursor and associated services must be rotated promptly.
• Audit and Monitor: Review source control repositories, CI/CD pipelines, and build artifacts for unauthorized changes or suspicious activity.
• Use Security Tools: Employ tools like Socket’s AI Scanner, CLI, and GitHub app to detect suspicious package behavior, such as unauthorized filesystem writes or outbound network requests during installation.
• Registry Vigilance: Organizations should monitor npm registry activity and maintain strict policies on dependency vetting, especially for packages promising unofficial or discounted API access.

Conclusion

This attack on the Cursor AI IDE represents a new frontier in supply chain threats-where malicious actors directly compromise developer tools to embed persistent backdoors. By exploiting trust boundaries within IDEs, attackers gain a stealthy foothold that can jeopardize both individual developers and enterprise software supply chains. Heightened awareness, rigorous dependency management, and proactive use of behavioral detection tools are essential to defend against such evolving npm malware campaigns.

References:

• Socket.dev Blog: Malicious npm Packages Hijack Cursor Editor on macOS
• ReversingLabs Research on npm Supply Chain Attacks
• Official Cursor AI Code Editor Documentation

If you are a developer or security professional using Cursor on macOS, immediate action is advised to mitigate this threat and safeguard your development environment.