Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS

stapp · May 8, 2025

The Socket Threat Research Team has identified three malicious npm packages — sw‑cur, its near-identical clone sw‑cur1, and aiide-cur — targeting the macOS version of the popular Cursor AI code editor. Disguised as developer tools offering “the cheapest Cursor API”, these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor’s main.js file, and disable auto-updates to maintain persistence.
Click to expand...

https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos

What is npm?
https://docs.npmjs.com/about-npm

Log in or Sign up

Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS

stapp Global Moderator

Log in or Sign up

Backdooring the IDE: Malicious npm Packages Hijack Cursor Editor on macOS

stapp Global Moderator

Useful Searches