Hackers Use Fake Gemini npm Package to Steal Tokens From Claude, Cursor, and Other AI Tools

A new supply chain attack has surfaced targeting software developers who work with AI coding tools. On March 20, 2026, a threat actor published a malicious npm package named gemini-ai-checker under the account gemini-check, presenting it as a simple utility to verify Google Gemini AI tokens.

The package looked credible enough to fool developers — but beneath its clean structure was a dangerous piece of malware built to steal credentials, files, and tokens from AI coding environments.

The package README copied wording from a legitimate JavaScript library called chai-await-async, which has no relation to Google Gemini at all. This mismatch was a red flag, but many developers likely never noticed.

Once installed, the package silently contacted a Vercel-hosted staging server at server-check-genimi.vercel.app to download and run a JavaScript payload directly on the victim machine.

Cyber and Ramen analysts identified the payload and traced it back to OtterCookie, a JavaScript backdoor linked to the Contagious Interview campaign — an operation attributed to North Korean (DPRK) threat actors.

The version found here closely matches a variant that Microsoft documented in March 2026, which has been assessed as active since October 2025.

The same threat actor also maintained two additional packages — express-flowlimit and chai-extensions-extras — all sharing the same Vercel infrastructure. By the time of publication, the three packages had been downloaded over 500 times combined.

While gemini-ai-checker was removed just before April 1, 2026, the other two remained live and continued collecting downloads.

What distinguishes this campaign is its explicit targeting of AI developer tools. Beyond stealing browser credentials and cryptocurrency wallets, the malware was engineered to specifically access directories used by Cursor, Claude, Windsurf, PearAI, Gemini CLI, and Eigent AI — exposing developer API keys, conversation logs, and source code to theft.

How the Infection Works

The infection mechanism was carefully engineered to avoid detection at every step. The gemini-ai-checker package weighed 271kB across 44 files and listed four dependencies — much larger than a typical token checker, but structured to resemble a legitimate modern project, complete with a SECURITY markdown file to appear trustworthy.

Buried in the package is a file called libconfig.js, which splits the C2 configuration — including the staging domain, authentication token, path, and bearer token — into separate variables rather than storing a complete URL. This breaks up any detectable string, keeping it hidden from basic scanning tools.

On install, libcaller.js reassembles these pieces and sends an HTTP GET request to the Vercel endpoint, retrying up to five times until a valid response is received.

If the server returns a 404 response containing a token field, the payload runs directly in memory using Function.constructor — chosen deliberately over eval to avoid static analysis tools that flag the latter. Nothing is written to disk, making the attack much harder for traditional security tools to detect.

Snippet of the obfuscated JavaScript code (Source - Cyber and Ramen) — Snippet of the obfuscated JavaScript code (Source – Cyber and Ramen)

Once decoded, the payload reveals a four-module architecture, with each module operating as a separate Node.js process connected to C2 server 216.126.237.71 across dedicated ports. Module 0 establishes remote access via Socket.IO.

De-obfuscated code snippet (Source - Cyber and Ramen) — De-obfuscated code snippet (Source – Cyber and Ramen)

Module 1 targets browser databases and over 25 cryptocurrency wallets including MetaMask and Exodus. Module 2 sweeps the home directory for sensitive file types and explicitly enumerates AI tool directories.

Module 3 monitors the clipboard every 500 milliseconds, using a 3,000-millisecond startup delay to slip past sandbox detection.

Defenders should block or closely monitor outbound connections to Vercel where feasible, and use KQL queries published by Microsoft to detect suspicious Node.js process behavior.

Developers should verify npm package contents before installation, look for mismatches between package names and README documentation, and treat AI tool directories like .cursor and .claude with the same sensitivity applied to .ssh or .aws folders.

Reporting any newly published packages that attempt to spoof well-known brands helps the community respond before further damage occurs.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.