The Socket Threat Research Team has uncovered a sophisticated campaign targeting macOS users of the Cursor AI code editor through three malicious npm packages: sw-cur, sw-cur1, and aiide-cur. Disguised as cheap access tools to the Cursor API, these packages surreptitiously install persistent backdoors, steal developer credentials, and disable update mechanisms—posing a major risk to both individual coders and enterprise environments.
“The packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor’s main.js file, and disable auto-updates to maintain persistence,” the report revealed.
Published by a threat actor using aliases gtr2018 and aiide, with email registrations at qq.com and outlook.com, the packages were hosted on the npm registry and had been downloaded over 3,200 times at the time of discovery. Alarmingly, they remained live on npm at the time of publication, prompting the research team to file formal removal petitions.
The threat actors baited developers by exploiting a common desire—reducing AI usage costs in development tools. The sw-cur and sw-cur1 packages were advertised with the slogan:
“提供全网最便宜的Cursor接口服务-升维科技” — translated as: “Providing the cheapest Cursor API service on the entire internet – Shengwei Technology.”
By masquerading as cost-saving alternatives, these packages appealed to users seeking unofficial integration with popular AI models like Claude, Gemini, and GPT-4.
Once installed, the malicious packages deploy a multi-step attack:
- Credential Exfiltration: The user’s Cursor login credentials are stolen and sent to threat actor-controlled infrastructure such as cursor[.]sw2031[.]com or aiide[.]xyz.
- Encrypted Payload Delivery: The package retrieves a secondary AES-encrypted, gzip-compressed JavaScript payload, which it decrypts using a hardcoded key: a8f2e9c4b7d6m3k5n1p0q9r8s7t6u5v4.
- File Overwrite and Persistence: It replaces the main.js file inside the Cursor IDE directory: /Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js,
embedding stolen credentials and injecting attacker-controlled code.
“The sw-cur package also disables Cursor’s auto-update mechanism; and all packages restart the application, granting the threat actor persistent, remote-controlled execution within the user’s IDE,” the report noted.
The sw-cur variant even goes further by killing active Cursor and crash-handler processes, ensuring the patched application loads immediately upon restart. While sw-cur1 and aiide-cur skip this step, all three variants effectively trojanize the development environment.
The attack presents high-risk implications:
- For individuals, it exposes codebases and potentially even cloud services or repositories connected to the IDE.
- For organizations, a trojanized IDE could act as an infiltration point, introducing malware into CI/CD pipelines or exfiltrating proprietary source code.
“Because the injected code runs with the user’s privileges, it can execute further malicious scripts or extract sensitive data without detection,” the report warned.
Related Posts:
???? Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
