Malicious npm packages infect Cursor AI

Kirill Boychenko revealed, on May 7, findings that showed several malicious npm packages targeting Mac developers. The malware was specifically targeting developers using the Cursor AI code editor, with the purpose of stealing Cursor credentials and modifying the Cursor app.

The npm packages

The three packages – sw-cur, sw-cur1, and aiide-cur – were promoted as offering cheaper access to Cursor functionality. As of Kirill’s writing, these packages had been downloaded over 3,200 times.

Kirill’s analysis of the malicious code in each of these packages shows that it performed three basic tasks:

  • Upload Cursor credentials to an attacker-controlled C2 server
  • Download a second stage payload
  • Overwrite the main.js file inside the Cursor app with the second stage payload

The main.js file in question is located here:

/Applications/Cursor.app/Contents/Resources/app/extensions/cursor-always-local/dist/main.js

The Cursor patch

The thing that has me scratching my head, and that is not mentioned in Kirill’s analysis, is how the modified Cursor app would continue to run. I downloaded a copy of Cursor, and it is both code signed (by Hilary Stout, with developer ID VDXQ22DGB9) and notarized. This means that modifications to the app should prevent it from executing.

At one point, it was possible to modify a code signed Mac app that was already on the system, and it would continue to run because macOS wouldn’t check the code signature again after the first time the app ran. (I presented a talk and a live demo on this at Virus Bulletin in 2018.)

However, Apple fixed this issue several years ago, and this hasn’t been possible since then. On modern macOS, code signing checks are no longer reliant on an app having a quarantine flag (which gets stripped after the first run). I tested by modifying the main.js file, just to be sure it was covered by the code signing, and as I would expect, the modified app was not allowed to run.

A macOS dialog reading "Cursor is damaged and can't be opened. You should move it to the Trash." Buttons are Cancel and Move to Trash.

Perhaps the developers of this malware tested on older systems that were still vulnerable to this issue, or perhaps they didn’t test at all and just assumed it would work. Either way, I don’t think the second stage of the malware would work on any recent version of macOS.

Impact

Assuming that the modified Cursor app is somehow able to run, it would provide backdoor access into the Cursor development environment. This could allow exfiltration of code – although, one may wonder how much value there would be in code being developed with the assistance of AI.

More concerningly, it could allow injection of malicious code into a legitimate app being developed. This could be the holy grail of supply chain attacks, as the developer is already known to be using code written by AI, since that is the purpose of Cursor. Such a developer may not be particularly apt to notice malicious additions to that code.

IOCs

sw-cur index.js: e64f2260fa8e53b405d30417c54726192892a055134929fd5a06bbab025e3093
sw-cur1 index.js: b7562233ab9179c9b5dea9658ba3a1926c80999f18bd98d2690e0f68e0595182
aiide-cur index.js: 3cbcf16ce2a64a610ef0e6ef49f7e7dcd4440774e64ac89b04301c59f2e47cd2

Leave a Reply

Your email address will not be published. Required fields are marked *