Fake npm Package Steals Tokens From AI Tools Claude, Cursor
Key Takeaways A malicious npm package, “gemini-ai-checker,” was deployed on March 20, 2026, targeting developers using AI coding tools. The package, masquerading as a Google Gemini token...
Key Takeaways
- A malicious npm package, “gemini-ai-checker,” was deployed on March 20, 2026, targeting developers using AI coding tools.
- The package, masquerading as a Google Gemini token verification utility, contained the OtterCookie JavaScript backdoor.
- The malware specifically exfiltrates credentials, files, and tokens from AI development environments like Claude, Cursor, Windsurf, PearAI, Gemini CLI, and Eigent AI.
- The attack leveraged sophisticated evasion techniques, including obfuscated C2 configurations and in-memory payload execution, making detection challenging.
- Researchers link the campaign to North Korean (DPRK) threat actors previously associated with the “Contagious Interview” operation.
Sophisticated npm Supply Chain Attack Targets AI Development Ecosystem
A new, highly targeted supply chain attack has emerged, preying on software developers who integrate AI coding tools into their workflows. On March 20, 2026, a threat actor operating under the alias “gemini-check” published a deceptive npm package named “gemini-ai-checker.” This package was designed to appear as a legitimate tool for validating Google Gemini AI tokens, but it harbored a dangerous payload aimed at stealing sensitive data from AI development environments.
Table Of Content
Despite its seemingly innocuous facade, complete with a professional-looking structure, the package concealed a potent piece of malware. This malicious code was engineered to exfiltrate credentials, critical files, and tokens from various AI coding platforms.
The package’s README file contained text copied directly from an unrelated legitimate JavaScript library, chai-await-async, which has no connection to Google Gemini. This inconsistency, while a clear red flag, likely went unnoticed by many developers.
The OtterCookie Backdoor and North Korean Attribution
Upon installation, the malicious package covertly established contact with a Vercel-hosted staging server at server-check-genimi.vercel.app. From this command-and-control (C2) infrastructure, it downloaded and executed a JavaScript payload directly on the victim’s machine.
Analysts at Cyber and Ramen identified this payload as OtterCookie, a JavaScript backdoor previously linked to the “Contagious Interview” campaign. This operation has been consistently attributed to threat actors sponsored by North Korea (DPRK).
The OtterCookie variant observed in this attack closely mirrors one documented by Microsoft in March 2026, which has been assessed as active since October 2025. The same threat actor also managed two other malicious npm packages, “express-flowlimit” and “chai-extensions-extras,” both utilizing the identical Vercel infrastructure. Collectively, these three packages had accumulated over 500 downloads before discovery. While “gemini-ai-checker” was removed just prior to April 1, 2026, the other two packages remained active and continued to be downloaded.
Targeting AI Developer Tools
What distinguishes this campaign is its specific focus on AI developer tools. Beyond the typical targets of browser credentials and cryptocurrency wallets, the malware was meticulously designed to infiltrate directories associated with prominent AI platforms such as Cursor, Claude, Windsurf, PearAI, Gemini CLI, and Eigent AI. This targeted approach enables the theft of highly sensitive data, including developer API keys, confidential conversation logs, and proprietary source code.
How the Infection Works
The infection mechanism was carefully crafted to evade detection. The “gemini-ai-checker” package itself was substantial, weighing 271kB across 44 files and listing four dependencies. This size and structure mimicked a legitimate modern project, even including a SECURITY markdown file to enhance its trustworthiness, despite being far larger than a simple token checker would require.
A file within the package, libconfig.js, ingeniously obfuscated the C2 configuration. Instead of storing a complete URL, it fragmented the staging domain, authentication token, path, and bearer token into separate variables. This fragmentation prevented basic scanning tools from detecting a full malicious URL string.
During installation, libcaller.js would reassemble these fragmented pieces and initiate an HTTP GET request to the Vercel endpoint. It was programmed to retry this request up to five times until a valid response was received.
Crucially, if the server returned a 404 response containing a valid token field, the malicious payload would execute directly in memory using Function.constructor. This method was deliberately chosen over eval to bypass static analysis tools that typically flag the latter. The absence of any disk-based payload further complicated detection by traditional security solutions.
Once decoded, the payload revealed a sophisticated four-module architecture. Each module operated as an independent Node.js process, establishing connections to the C2 server at 216.126.237.71 via dedicated ports. Module 0 was responsible for establishing remote access through Socket.IO.
Module 1 aggressively targeted browser databases and over 25 cryptocurrency wallets, including popular ones like MetaMask and Exodus. Module 2 systematically scanned the victim’s home directory for sensitive file types and specifically enumerated directories associated with AI tools. Finally, Module 3 implemented a clipboard monitoring function, checking for new content every 500 milliseconds, with a 3,000-millisecond startup delay designed to bypass sandbox detection mechanisms.
What You Should Do
- Block or Monitor Outbound Connections: Where feasible, block or rigorously monitor all outbound connections to Vercel domains and the identified C2 IP address (
216.126.237.71). - Utilize KQL Queries: Employ KQL queries, such as those published by Microsoft, to detect anomalous Node.js process behavior within your environment.
- Verify npm Package Contents: Developers must meticulously inspect the contents of any npm package before installation. Pay close attention to package size, listed dependencies, and the presence of any unusual files or scripts.
- Scrutinize Documentation: Always cross-reference package names with their README documentation. Discrepancies, such as the use of unrelated library text, are critical indicators of potential malicious activity.
- Protect AI Tool Directories: Treat directories used by AI tools (e.g.,
.cursor,.claude,.gemini) with the same level of security and sensitivity as critical system folders like.sshor.aws. Implement robust access controls and monitoring. - Report Suspicious Packages: Actively report any newly published packages that attempt to spoof well-known brands or exhibit suspicious behavior to the npm registry and relevant cybersecurity authorities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.