Researchers have discovered a cybersecurity attack against the macOS version of the Cursor AI code editor, one that is “stealing credentials and modifying files to gain persistent backdoor access.”

Socket cybersecurity researchers discovered three malicious npm packages that specifically target the macOS version of the Cursor IDE. The malicious packages are designed to steal user credentials, as well as download an encrypted payload that helps establish a backdoor and maintain persistence, according to Socket’s Kirill Boychenko.

When executed, the malicious script in the sw‑cur, sw‑cur1, and aiide-cur packages harvests user-supplied credentials, retrieves an encrypted secondary payload from threat actor-controlled infrastructure, decrypts and decompresses it, and replaces critical Cursor-specific code with attacker-controlled logic. The sw‑cur package also disables Cursor’s auto-update mechanism; and all packages restart the application, granting the threat actor persistent, remote-controlled execution within the user’s IDE.

Users who have downloaded the malicious packages face a number of significant issues.

For individual users, the compromised IDE poses a direct risk of credential theft, code exfiltration, and potential delivery of additional malware. Once the threat actor obtains Cursor credentials, they can access paid services and, more critically, any codebase the victim opens within the IDE. Because the injected code runs with the user’s privileges, it can execute further malicious scripts or extract sensitive data without detection.

In enterprise environments or open source projects, the risks multiply. A trojanized IDE on a developer’s machine can leak proprietary source code, introduce malicious dependencies into builds, or serve as a foothold for lateral movement within CI/CD pipelines. Since the malicious patch disables Cursor’s auto-update mechanism, it can remain active for extended periods.

Boychenko outlines the steps organizations that suspect compromise can take.

For organizations that suspect exposure, we recommend restoring Cursor from a verified installer, rotating all affected credentials, and auditing source control and build artifacts for signs of unauthorized changes.

Socket’s free tools detect and block threats like these before they reach production environments. By analyzing package behavior in real time — rather than relying solely on static signatures — Socket can flag dangerous patterns such as credential prompts during installation, filesystem access to protected application paths, and outbound requests to malicious and suspicious domains.

This latest attack highlights the challenges organization face with software supply chain attacks.

This campaign highlights a growing supply chain threat, with threat actors increasingly using malicious patches to compromise trusted local software. Our findings align with research by ReversingLabs’ Lucija Valentić, who documented npm-based attacks where malicious packages infected other locally-installed legitimate packages. Together, these investigations reinforce a clear and expanding pattern — stealthy, patch-based compromises delivered through widely used package managers like npm.

macOS Cursor users should take immediate steps to verify that their installations are not compromised, and take any necessary action to mitigate compromise.