FHN 
Attackers are actively targeting developers by distributing a malicious npm package disguised as a tool for validating AI tokens. The package pretends to be مرتبط with Google Gemini but is designed to quietly steal sensitive data from systems using popular AI development tools.
How the Malicious Package Operates
The fake package was uploaded under a seemingly legitimate name and presented as a utility for checking AI tokens. However, several warning signs were overlooked. The documentation was copied from an unrelated project, indicating a lack of authenticity, and the package structure was crafted to appear credible at first glance.
Once installed, the package connects to a remote server hosted on Vercel to fetch additional hidden code. Instead of storing malicious files on disk, it executes payloads directly in memory, making detection significantly harder.
Key behaviors observed:
- Contacts a remote endpoint to download and execute hidden scripts
- Uses obfuscation to hide command-and-control (C2) details
- Executes payloads in memory to bypass traditional security tools
- Disguises itself with legitimate-looking files and dependencies
Even after the main package was removed, related packages from the same source remain active and continue to be downloaded.
Multi-Stage Malware Capabilities
Further analysis revealed that the payload is not a simple script but a modular backdoor with multiple capabilities running in parallel. Each module performs a specific malicious function, allowing attackers to maintain control and extract valuable data.
Core functionalities include:
- Remote access module enabling attackers to control the infected system
- Credential theft targeting browsers and cryptocurrency wallets
- File exfiltration scanning for sensitive documents and configuration files
- Clipboard monitoring to capture copied data such as keys or passwords
The malware uses advanced obfuscation techniques, making it difficult to analyze. Its structure and behavior closely resemble known backdoors, particularly those linked to sophisticated threat campaigns.
Focus on AI Development Environments
The malicious code actively searches for folders linked to widely used AI tools such as Cursor, Claude, Gemini CLI, Windsurf, PearAI, and Eigent. These directories often store API keys, authentication tokens, and even conversation histories.
By extracting this data, attackers can misuse paid AI services, access proprietary code, and potentially pivot deeper into enterprise systems using additional credentials like SSH keys or cloud access tokens.
Key risks include:
- Theft of API keys and AI service tokens
- Exposure of sensitive prompts and development data
- Unauthorized use of paid AI platforms
- Increased risk of broader infrastructure compromise
Detection and Defensive Measures
From a defensive standpoint, visibility into unusual outbound traffic is critical. Monitoring connections to external infrastructure, especially uncommon endpoints, can help identify suspicious package behavior early.
Security teams can also leverage threat hunting techniques to detect patterns associated with multi-process Node.js malware and unusual communication channels such as Socket.IO-based command-and-control traffic.
Recommended actions:
- Monitor and restrict unnecessary outbound network connections
- Watch for abnormal Node.js process activity
- Identify unusual file access in developer environments
- Use threat hunting queries to detect similar attack patterns
Securing Developer Workflows
This campaign reflects a broader trend of supply chain attacks targeting developer ecosystems, particularly those involving AI tools. As these tools become deeply integrated into workflows, they also become high-value targets.
Developers should treat AI-related directories with the same level of sensitivity as critical folders like .ssh or cloud configuration paths. Before installing any package, it is essential to verify its authenticity, review its dependencies, and examine any unusual installation behavior.
Early reporting of suspicious packages and increased awareness within the developer community can significantly reduce the impact of such threats.
IOCs
| Type | Value | Purpose |
| Download URL | server-check-genimi.vercel[.]app/defy/v3 | Malicious domain serving OtterCookie |
| Download Token | logo | HTTP bearer token |
| C2 IP Address | 216.126.237[.]71:4891 (AS14956 – RouterHosting LLC) | RAT/C2 |
| C2 Port | 4896 | File exfiltration |
| C2 Port | 4899 | Credential Theft |
| C2 Endpoint | /api/service/makelog | Initial connection containing victim fingerprinting info |
| C2 Endpoint | /api/service/process | C2 command output reporting |
About the Author
