Over 3,200 Cursor Users Infected by Malicious Credential-Stealing npm Packages (thehackernews.com)
- Reference: 0177450993
- News link: https://developers.slashdot.org/story/25/05/11/2222257/over-3200-cursor-users-infected-by-malicious-credential-stealing-npm-packages
- Source link: https://thehackernews.com/2025/05/malicious-npm-packages-infect-3200.html
> "Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's main.js file, and disable auto-updates to maintain persistence," Socket researcher Kirill Boychenko [2]said . All three packages continue to be available for download from the npm registry. "Aiide-cur" was first published on February 14, 2025...
>
> In total, the three packages have been downloaded over 3,200 times to date.... The findings point to an emerging trend where threat actors are using rogue npm packages as a way to introduce malicious modifications to other legitimate libraries or software already installed on developer systems... "By operating inside a legitimate parent process — an IDE or shared library — the malicious logic inherits the application's trust, maintains persistence even after the offending package is removed, and automatically gains whatever privileges that software holds, from API tokens and signing keys to outbound network access," Socket told The Hacker News .
>
> "This campaign highlights a growing supply chain threat, with threat actors increasingly using malicious patches to compromise trusted local software," Boychenko said.
The npm packages "restart the application so that the patched code takes effect," letting the threat actor "execute arbitrary code within the context of the platform."
[1] https://thehackernews.com/2025/05/malicious-npm-packages-infect-3200.html
[2] https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos
It's almost like... (Score:2)
It's almost like one could see this coming. Toolchains have incredible vulnerabilities, especially npm and rust crates.
Containers/VMs (Score:2)
Why isn't that npm shit running in a container or VM? It sounds like the editor itself is implemented with npm packages. If that's the case, seems pretty stupid to run an editor like that to me. Maybe ask the AI to create a more secure setup for you.
Re: (Score:2)
npm has bad press because their repo is huge, very dynamic and not very well curated, and because a big portion of its users have little care or little clue. other than that it's exactly the same as any other dependency manager. npm, nuget, cargo, swift, pip, go mod, maven ... all of them load dependencies into your development environment in some way. how rigorously their repositories are curated makes a difference, but that only goes so far. indeed, ideally you would need a fresh container and a thorough
Maybe our jobs aren't gone just yet (Score:3)
Like any new technology on the bleeding edge, the promises are stratospheric, but the risks are also high. Reality always has a way of showing up, the claims are never as dramatic as the proponents say they are. And the cataclysm from feared job losses is also never as dire.
And I say that as a daily user of GitHub Copilot. It isn't as "advanced" as Cursor, in the sense that it's still just focusing on spot code changes, not trying to be your entire development system. In the context of stories like this, I see this as a good thing. It gives me the power of AI to speed up the pace of work, but also doesn't expose me to the same level of risk, since I still have to supervise closely.
AI Code Editor (Score:1)
I have no sympathy for these people.
Re: (Score:2)
To not being replaced by someone who does twice your workload with the same effort for the same pay, by using different tools you refuse to learn how to use?
Re: (Score:2)
ok but it just highlights the supply chain risks common to all of us. For now they target idiots ready to download "the cheapest API". But nothing prevents, in theory, that someone packages malicious code into a vi/vim/gvim package for a given distro. We can discuss risk factors, e.g. big vs small distro, yearly vs rolling release.
Re: AI Code Editor (Score:2)
I'd rather discuss how we mitigate. Like, don't use npm. Minimize dependencies. Use only major trusted libraries. Evaluate their dependencies. Nobody has time to use the code. Also look at any build tools and scripts in the dependencies.
Re: AI Code Editor (Score:2)
I didn't mean use; nobody has time to *review* the code.