A new supply chain attack has emerged—this time targeting macOS users of the Cursor AI code editor through rogue npm packages. In this episode, we break down how threat actors published malicious modules—sw-cur, sw-cur1, and aiide-cur—promising cheap access to Cursor’s AI features. Once installed, these packages function as backdoors, stealing credentials, modifying critical application files like main.js, disabling updates, and granting persistent remote access.
We’ll discuss how the attackers used social engineering tactics around “cost savings” to compromise trust, the technical breakdown of the malware’s behavior, and what this means for developers and enterprises relying on modern IDEs. With over 3,200 downloads before detection, this campaign represents a significant escalation in supply chain threats.
Join us as we explore:
- The mechanics of the backdoor and how persistence was achieved
- The risks of lateral movement in enterprise CI/CD environments
- What this attack says about the future of developer-focused malware
- Real-world remediation steps and how to protect your development environments
Whether you’re a developer, CISO, or security researcher, this episode will give you a sharp look into a growing and deeply concerning attack vector.
