New Supply Chain Attack Targets AI Developers with Malicious npm Package
A sophisticated supply chain attack emerged on March 20, 2026, when a threat actor published a malicious npm package, gemini-ai-checker, under the account gemini-check. Marketed as a utility to verify Google Gemini AI tokens, the package contained hidden malware designed to steal credentials, files, and tokens from AI coding environments.
The package’s README mimicked a legitimate JavaScript library, chai-await-async, though the two were unrelated a red flag many developers overlooked. Upon installation, the malware silently contacted a Vercel-hosted staging server (server-check-genimi.vercel.app) to download and execute a JavaScript payload directly in memory, evading traditional security tools.
The attack was traced to OtterCookie, a JavaScript backdoor linked to the Contagious Interview campaign, attributed to North Korean (DPRK) threat actors. Microsoft documented a similar variant in March 2026, active since October 2025. The same actor maintained two additional malicious packages express-flowlimit and chai-extensions-extras sharing the same Vercel infrastructure. By publication, the three packages had been downloaded over 500 times combined, with gemini-ai-checker removed just before April 1, 2026, while the others remained active.
This campaign uniquely targeted AI developer tools, including Cursor, Claude, Windsurf, PearAI, Gemini CLI, and Eigent AI, extracting API keys, conversation logs, and source code. The malware also stole browser credentials and cryptocurrency wallets, including MetaMask and Exodus.
The infection mechanism was designed to evade detection. The package included 44 files and four dependencies, appearing legitimate with a SECURITY.md file. A hidden libconfig.js file split the command-and-control (C2) configuration into fragments, reassembled at runtime by libcaller.js to fetch the payload. The malware executed in memory using Function.constructor instead of eval to bypass static analysis.
Once active, the payload deployed a four-module architecture, each running as a separate Node.js process connected to 216.126.237.71 on dedicated ports. Module 0 established remote access via Socket.IO, Module 1 targeted browser databases and cryptocurrency wallets, Module 2 scanned for sensitive files in AI tool directories, and Module 3 monitored the clipboard with a delayed startup to avoid sandbox detection.
Defenders were advised to monitor outbound connections to Vercel and use Microsoft’s KQL queries to detect suspicious Node.js behavior. The incident underscored the risks of unverified npm packages and the need to treat AI tool directories with the same caution as sensitive system folders.
Source: https://cybersecuritynews.com/hackers-use-fake-gemini-npm-package/
Anysphere cybersecurity rating report: https://www.rankiteo.com/company/anysphereinc
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
Codeium cybersecurity rating report: https://www.rankiteo.com/company/windsurf123321
Google Cloud Security cybersecurity rating report: https://www.rankiteo.com/company/googlecloudsecurity
"id": "ANYNPMWINGOO1775593675",
"linkid": "anysphereinc, npm-inc-, windsurf123321, googlecloudsecurity",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 500 downloads combined for '
'malicious packages',
'industry': 'Technology, Software Development',
'location': 'Global',
'type': 'AI Developers'}],
'attack_vector': 'Malicious npm Package',
'data_breach': {'data_encryption': 'No (payload executed in memory)',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Browser credentials, '
'cryptocurrency wallet '
'data',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['API keys',
'Conversation logs',
'Source code',
'Browser credentials',
'Cryptocurrency wallet data']},
'date_detected': '2026-03-20',
'date_publicly_disclosed': '2026-03-20',
'description': 'A sophisticated supply chain attack emerged when a threat '
'actor published a malicious npm package, *gemini-ai-checker*, '
'under the account *gemini-check*. Marketed as a utility to '
'verify Google Gemini AI tokens, the package contained hidden '
'malware designed to steal credentials, files, and tokens from '
'AI coding environments. The malware silently contacted a '
'Vercel-hosted staging server to download and execute a '
'JavaScript payload in memory, evading traditional security '
'tools. The attack was traced to OtterCookie, a JavaScript '
'backdoor linked to the Contagious Interview campaign, '
'attributed to North Korean (DPRK) threat actors. The campaign '
'targeted AI developer tools, extracting API keys, '
'conversation logs, and source code, as well as browser '
'credentials and cryptocurrency wallets.',
'impact': {'data_compromised': 'API keys, conversation logs, source code, '
'browser credentials, cryptocurrency wallets',
'identity_theft_risk': 'High',
'operational_impact': 'Data exfiltration, unauthorized access to '
'AI environments',
'payment_information_risk': 'High (cryptocurrency wallets)',
'systems_affected': 'AI developer tools (Cursor, Claude, Windsurf, '
'PearAI, Gemini CLI, Eigent AI)'},
'initial_access_broker': {'backdoors_established': 'OtterCookie JavaScript '
'backdoor',
'entry_point': 'Malicious npm package '
'(*gemini-ai-checker*)',
'high_value_targets': 'AI developer tools (Cursor, '
'Claude, Windsurf, PearAI, '
'Gemini CLI, Eigent AI)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Risks of unverified npm packages, need to treat AI tool '
'directories with the same caution as sensitive system '
'folders',
'motivation': 'Espionage, Financial Gain, Credential Theft',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring, '
'verification of npm '
'packages, treating AI tool '
'directories as sensitive',
'root_causes': 'Unverified third-party package '
'installation, evasion techniques '
'(in-memory execution, fragmented '
'C2 configuration)'},
'recommendations': 'Monitor outbound connections to Vercel, use Microsoft’s '
'KQL queries for detection, verify third-party packages '
'before installation',
'references': [{'source': 'Microsoft'}],
'response': {'containment_measures': 'Removal of malicious npm packages '
'(*gemini-ai-checker* removed before '
'April 1, 2026)',
'enhanced_monitoring': 'Recommended',
'remediation_measures': 'Monitor outbound connections to Vercel, '
'use Microsoft’s KQL queries to detect '
'suspicious Node.js behavior'},
'threat_actor': 'North Korean (DPRK) threat actors',
'title': 'New Supply Chain Attack Targets AI Developers with Malicious npm '
'Package',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Unverified third-party package installation'}