Security researchers have uncovered a new threat targeting macOS users of the AI-powered Cursor code editor. Malicious NPM packages disguised as tools to enhance Cursor’s capabilities were found injecting a dangerous backdoor into user systems.
According to Socket, the vulnerability detection firm that identified the attack, the packages—named sw-cur, sw-cur1, and aiide-cur—were uploaded to the NPM registry by threat actors under the usernames gtr2018 and aiide. Collectively, these packages have already been downloaded more than 3,200 times.
Cursor, a widely-used integrated development environment (IDE) with built-in AI support, offers paid access to large language models. These rogue packages preyed on developers looking for cheaper or unauthorized ways to access Cursor’s premium features.
Once installed, the packages silently execute a malicious script. This script steals user credentials, pulls a payload from a remote server, then decrypts and installs it locally. It goes a step further by overwriting key files inside Cursor’s installation folder—particularly the main.js file located in the /Applications/Cursor.app/… path on macOS. The goal: achieve persistent remote access through the IDE’s trusted runtime environment.
Even more alarming, one of the packages, sw-cur, disables Cursor’s auto-update functionality. This is likely to prevent the malicious code from being overwritten or removed by future software updates.
All three malicious NPM packages share identical routines for exfiltrating credentials, downloading and decrypting payloads, and injecting code into Cursor, although they use different hardcoded command-and-control domains. Once in place, the malware can access any codebase opened within the editor, putting private repositories, proprietary code, and even authentication tokens at risk.
Socket warns that the implications extend far beyond the individual developer. In enterprise settings or collaborative open source environments, the presence of a trojanized IDE could enable serious damage—such as leaking confidential code, embedding malware into build pipelines, or even facilitating lateral movement within a company’s CI/CD infrastructure.
As of publication, the harmful packages remain live on the NPM registry. Socket has formally requested their removal and is urging any developers who downloaded them to take immediate action.
Affected users should:
- Uninstall the malicious NPM packages immediately
- Reinstall Cursor from an official and trusted source
- Rotate all exposed credentials
- Perform a full audit of recent code changes and access logs
The incident highlights growing threats in the software supply chain, especially as developers increasingly rely on third-party packages and AI tools embedded directly in their workflows.
