A novel supply chain attack has been uncovered, specifically targeting software developers who utilize artificial intelligence (AI) coding tools. On March 20, 2026, a threat actor released a malicious npm package named `gemini-ai-checker` under the `gemini-check` account. This package was deceptively presented as a utility for verifying Google Gemini AI tokens.
Despite its seemingly innocuous purpose and clean code structure, the package concealed malware designed to compromise credentials, files, and tokens within AI development environments. The README file for the package mimicked the content of a legitimate JavaScript library, `chai-await-async`, which has no connection to Google Gemini. This discrepancy, though a potential red flag, may have been overlooked by many developers.
Hackers Use Fake Gemini npm Package to Steal Tokens From AI Tools
Upon installation, the malicious `gemini-ai-checker` package surreptitiously communicated with a Vercel-hosted staging server, `server-check-genimi.vercel.app`, to download and execute a JavaScript payload directly on the victim’s machine. Cyber and Ramen analysts identified this payload, tracing it back to “OtterCookie,” a JavaScript backdoor associated with the “Contagious Interview” campaign. This campaign has been attributed to North Korean (DPRK) threat actors.
The specific variant discovered bears a close resemblance to a version documented by Microsoft in March 2026, which has been assessed as active since October 2025. This ongoing threat highlights the evolving tactics of state-sponsored hacking groups targeting the burgeoning AI development sector.
In addition to `gemini-ai-checker`, the same threat actor managed two other npm packages: `express-flowlimit` and `chai-extensions-extras`. These packages shared the same Vercel infrastructure, indicating a coordinated effort. By the time of reporting, these three packages had collectively garnered over 500 downloads. While `gemini-ai-checker` was removed shortly before April 1, 2026, the other two packages remained accessible and continued to accumulate downloads.
What sets this campaign apart is its deliberate focus on AI developer tools. Beyond the typical theft of browser credentials and cryptocurrency wallet information, the malware was specifically engineered to access directories commonly used by AI coding environments such as Cursor, Claude, Windsurf, PearAI, Gemini CLI, and Eigent AI. This targeted approach exposes sensitive developer API keys, conversation logs, and proprietary source code to potential exfiltration.
How the Infection Works
The infection mechanism was meticulously designed to evade detection throughout its lifecycle. The `gemini-ai-checker` package itself was substantial, weighing 271kB and comprising 44 files, along with four dependencies. This size was considerably larger than a typical token verification utility but was structured to mimic a legitimate, contemporary project. It even included a SECURITY markdown file to project an image of trustworthiness.
Concealed within the package, a file named `libconfig.js` played a crucial role in obfuscation. It fragmented the command-and-control (C2) configuration, including the staging domain, authentication token, path, and bearer token, into separate variables. This approach avoided storing a complete, detectable URL, thereby evading basic scanning tools. Upon installation, `libcaller.js` would reconstruct these components and initiate an HTTP GET request to the Vercel endpoint, attempting the connection up to five times for a valid response.
If the server responded with a 404 error containing a token field, the payload would execute directly in memory. The attackers specifically chose `Function.constructor` over `eval` to circumvent static analysis tools that are designed to flag the latter. Crucially, no files were written to the victim’s disk, significantly increasing the difficulty for conventional security solutions to detect the compromise.
Once decoded, the payload revealed a modular architecture consisting of four distinct Node.js processes. Each module connected to the C2 server at `216.126.237.71` via dedicated ports. The first module (Module 0) established remote access using Socket.IO.
Module 1 focused on compromising browser databases and over 25 cryptocurrency wallets, including popular ones like MetaMask and Exodus. Module 2 conducted a sweep of the user’s home directory, searching for sensitive file types and specifically enumerating directories associated with the targeted AI tools. Module 3 monitored the system’s clipboard at 500-millisecond intervals, employing a 3,000-millisecond startup delay to avoid detection by sandbox analysis environments.
To mitigate this threat, organizations should consider blocking or closely monitoring outbound connections to Vercel where feasible. Security teams can leverage KQL queries published by Microsoft to identify suspicious Node.js process behaviors. Developers are strongly advised to meticulously verify the contents of npm packages before installation, scrutinize any mismatches between package names and their README documentation, and accord the same level of security to AI tool directories like `.cursor` and `.claude` as they do to critical folders such as `.ssh` or `.aws`.
Reporting newly discovered npm packages that attempt to impersonate well-known brands is vital for the cybersecurity community. Such reports enable a swifter response and help prevent further damage before more developers fall victim to these sophisticated attacks.