North Korean Hackers Pivot to AI: New npm Malware Targets Cursor, Claude, and Gemini Tokens
Ddos 
Folder structure for malicious package | Image: CyberandRamen
In a calculated move that signals a new frontier in cyber espionage, North Korean threat actors have begun specifically targeting the burgeoning ecosystem of AI development tools. A recent report from CyberandRamen reveals that a sophisticated malware campaign, linked to the infamous “Contagious Interview” activity, is now hunting for tokens and keys associated with popular AI coding assistants like Cursor, Claude, and Windsurf.
The campaign came to light on March 20, 2026, when an npm account named gemini-check published a package titled gemini-ai-checker. To the casual observer, the package appeared to be a legitimate utility for verifying Google Gemini AI tokens.
However, the package was a hollow shell designed to deceive. Its README was a verbatim copy of a legitimate JavaScript library called chai-await-async, which has “no obvious relationship to Gemini”. By mimicking the folder structures and documentation of modern, credible projects, the attackers effectively “add legitimacy to the malicious packages” for developers looking for a quick installation.
The malware is a variant of OtterCookie, a JavaScript backdoor frequently used by DPRK-linked groups. This specific version employs a four-module architecture that spawns independent Node.js processes at execution, ensuring that the malware can function even if the C2 server becomes unavailable.
| Module | Role | Targeted Assets |
| Module 0 | Socket.IO RAT |
Full remote access, screen capture, and input control. |
| Module 1 | Credential Stealer |
Browser passwords and over 25 crypto wallets (MetaMask, Phantom, etc.). |
| Module 2 | File Exfiltration |
Sensitive extensions (.env, .pem, .key) and AI tool directories. |
| Module 3 | Clipboard Stealer |
Monitored every 500ms to capture sensitive copied data. |
The malware is particularly stealthy; it executes entirely in memory using Function.constructor and “never touching disk,” a tactic chosen to bypass common security tools that look for dynamic execution calls like eval.
While standard credential theft is a staple of these groups, the explicit targeting of AI coding tools marks a significant shift. Module 2 specifically enumerates directories to steal API keys, conversation logs, and source code from tools such as:
- .cursor (Cursor AI IDE)
- .claude (Anthropic Claude Code)
- .gemini (Gemini CLI)
- .windsurf (Windsurf AI IDE)
“This targeting reflects how AI coding tools have become embedded in almost everyone’s workflow, especially developers”. By combining these AI tokens with stolen SSH and cloud credentials, attackers can “not only allow the attacker to control the victim’s computer, but also facilitate access into enterprise networks”.
While gemini-ai-checker was removed just before April 1, other malicious packages like express-flowlimit and chai-extensions-extras remain live and continue to accumulate downloads.
The “Contagious Interview” campaign remains active, and as AI tools become more critical to the development lifecycle, they will undoubtedly remain a primary focus for state-sponsored threat actors.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
