Cybersecurity analysts have identified a significant security risk involving the Cursor AI code-editing tool, with over 3,200 macOS users infected through three malicious npm packages. The packages, which have been downloaded more than 3,200 times, masquerade as legitimate developer tools offering ‘the cheapest Cursor API.’ According to Socket researcher Kirill Boychenko, these packages are designed to steal user credentials and then retrieve encrypted payloads from threat actor-controlled infrastructure. By overwriting Cursor’s main.js file, the malicious code disables the application’s auto-updates, allowing the threat actor to maintain long-term presence on the infected system. These malicious packages are still available for download on the npm registry, which has raised alarms about the growing trend of supply chain attacks. Boychenko pointed out that these attacks are part of a broader strategy where threat actors exploit trusted software environments to execute arbitrary code. The malicious code operates within the context of a legitimate parent process, such.e., an IDE or shared library, thereby inheriting the application’s trust and privileges. This method ensures that the malicious logic remains undetected even after the offending package is removed. The threat actors can access API tokens, signing keys, and other privileged information, posing a significant risk to users and their systems. Socket researchers emphasized that this campaign highlights the increasing threat of supply chain attacks, with threat actors using malicious patches to compromise trusted software. The incident underscores the critical importance of cybersecurity best practices for developers and highlights the vulnerabilities associated with third-party packages. As the cybersecurity landscape continues to evolve, such incidents are likely to become more frequent, necessitating enhanced security measures and vigilance among users and developers.