Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Home/Threats/Fake npm Package Steals Tokens From AI Tools Claude, Cursor
Threats

Fake npm Package Steals Tokens From AI Tools Claude, Cursor

Key Takeaways A malicious npm package, “gemini-ai-checker,” was deployed on March 20, 2026, targeting developers using AI coding tools. The package, masquerading as a Google Gemini token...

Jennifer sherman
Jennifer sherman
April 7, 2026 4 Min Read
68 0

Key Takeaways

  • A malicious npm package, “gemini-ai-checker,” was deployed on March 20, 2026, targeting developers using AI coding tools.
  • The package, masquerading as a Google Gemini token verification utility, contained the OtterCookie JavaScript backdoor.
  • The malware specifically exfiltrates credentials, files, and tokens from AI development environments like Claude, Cursor, Windsurf, PearAI, Gemini CLI, and Eigent AI.
  • The attack leveraged sophisticated evasion techniques, including obfuscated C2 configurations and in-memory payload execution, making detection challenging.
  • Researchers link the campaign to North Korean (DPRK) threat actors previously associated with the “Contagious Interview” operation.

Sophisticated npm Supply Chain Attack Targets AI Development Ecosystem

A new, highly targeted supply chain attack has emerged, preying on software developers who integrate AI coding tools into their workflows. On March 20, 2026, a threat actor operating under the alias “gemini-check” published a deceptive npm package named “gemini-ai-checker.” This package was designed to appear as a legitimate tool for validating Google Gemini AI tokens, but it harbored a dangerous payload aimed at stealing sensitive data from AI development environments.

Table Of Content

  • Key Takeaways
  • Sophisticated npm Supply Chain Attack Targets AI Development Ecosystem
  • The OtterCookie Backdoor and North Korean Attribution
  • Targeting AI Developer Tools
  • How the Infection Works
  • What You Should Do

Despite its seemingly innocuous facade, complete with a professional-looking structure, the package concealed a potent piece of malware. This malicious code was engineered to exfiltrate credentials, critical files, and tokens from various AI coding platforms.

The package’s README file contained text copied directly from an unrelated legitimate JavaScript library, chai-await-async, which has no connection to Google Gemini. This inconsistency, while a clear red flag, likely went unnoticed by many developers.

The OtterCookie Backdoor and North Korean Attribution

Upon installation, the malicious package covertly established contact with a Vercel-hosted staging server at server-check-genimi.vercel.app. From this command-and-control (C2) infrastructure, it downloaded and executed a JavaScript payload directly on the victim’s machine.

Analysts at Cyber and Ramen identified this payload as OtterCookie, a JavaScript backdoor previously linked to the “Contagious Interview” campaign. This operation has been consistently attributed to threat actors sponsored by North Korea (DPRK).

The OtterCookie variant observed in this attack closely mirrors one documented by Microsoft in March 2026, which has been assessed as active since October 2025. The same threat actor also managed two other malicious npm packages, “express-flowlimit” and “chai-extensions-extras,” both utilizing the identical Vercel infrastructure. Collectively, these three packages had accumulated over 500 downloads before discovery. While “gemini-ai-checker” was removed just prior to April 1, 2026, the other two packages remained active and continued to be downloaded.

Targeting AI Developer Tools

What distinguishes this campaign is its specific focus on AI developer tools. Beyond the typical targets of browser credentials and cryptocurrency wallets, the malware was meticulously designed to infiltrate directories associated with prominent AI platforms such as Cursor, Claude, Windsurf, PearAI, Gemini CLI, and Eigent AI. This targeted approach enables the theft of highly sensitive data, including developer API keys, confidential conversation logs, and proprietary source code.

How the Infection Works

The infection mechanism was carefully crafted to evade detection. The “gemini-ai-checker” package itself was substantial, weighing 271kB across 44 files and listing four dependencies. This size and structure mimicked a legitimate modern project, even including a SECURITY markdown file to enhance its trustworthiness, despite being far larger than a simple token checker would require.

A file within the package, libconfig.js, ingeniously obfuscated the C2 configuration. Instead of storing a complete URL, it fragmented the staging domain, authentication token, path, and bearer token into separate variables. This fragmentation prevented basic scanning tools from detecting a full malicious URL string.

During installation, libcaller.js would reassemble these fragmented pieces and initiate an HTTP GET request to the Vercel endpoint. It was programmed to retry this request up to five times until a valid response was received.

Crucially, if the server returned a 404 response containing a valid token field, the malicious payload would execute directly in memory using Function.constructor. This method was deliberately chosen over eval to bypass static analysis tools that typically flag the latter. The absence of any disk-based payload further complicated detection by traditional security solutions.

Once decoded, the payload revealed a sophisticated four-module architecture. Each module operated as an independent Node.js process, establishing connections to the C2 server at 216.126.237.71 via dedicated ports. Module 0 was responsible for establishing remote access through Socket.IO.

Module 1 aggressively targeted browser databases and over 25 cryptocurrency wallets, including popular ones like MetaMask and Exodus. Module 2 systematically scanned the victim’s home directory for sensitive file types and specifically enumerated directories associated with AI tools. Finally, Module 3 implemented a clipboard monitoring function, checking for new content every 500 milliseconds, with a 3,000-millisecond startup delay designed to bypass sandbox detection mechanisms.

What You Should Do

  • Block or Monitor Outbound Connections: Where feasible, block or rigorously monitor all outbound connections to Vercel domains and the identified C2 IP address (216.126.237.71).
  • Utilize KQL Queries: Employ KQL queries, such as those published by Microsoft, to detect anomalous Node.js process behavior within your environment.
  • Verify npm Package Contents: Developers must meticulously inspect the contents of any npm package before installation. Pay close attention to package size, listed dependencies, and the presence of any unusual files or scripts.
  • Scrutinize Documentation: Always cross-reference package names with their README documentation. Discrepancies, such as the use of unrelated library text, are critical indicators of potential malicious activity.
  • Protect AI Tool Directories: Treat directories used by AI tools (e.g., .cursor, .claude, .gemini) with the same level of security and sensitivity as critical system folders like .ssh or .aws. Implement robust access controls and monitoring.
  • Report Suspicious Packages: Actively report any newly published packages that attempt to spoof well-known brands or exhibit suspicious behavior to the npm registry and relevant cybersecurity authorities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Next.js React2Shell flaw exploited to steal credentials from 766 hosts

Next Post

Kubernetes Misconfigurations Let Attackers Access Cloud Accounts

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us