Summary
A new malware campaign has emerged where hackers are using a fake npm package called "gemini" to distribute malicious code that targets various AI tools and cryptocurrency wallets. The package, which mimics the name of an existing legitimate package, is designed to steal sensitive information such as API tokens from directories like .cursor (used by Cursor AI) and .claude (used by Anthropic's Claude). Once installed, the malware establishes a remote connection via Socket.IO and performs several malicious activities:
- Module 1: Steals data from browser databases and over 25 cryptocurrency wallets including MetaMask and Exodus.
- Module 2: Enumerates AI tool directories and sweeps home directories for sensitive file types.
- Module 3: Monitors the clipboard every 500 milliseconds to capture any copied sensitive information.
Recommendations
- Verify Package Contents: Developers should verify the contents of npm packages before installation, especially those with names similar to well-known brands or tools.
- Monitor Outbound Connections: Block or closely monitor outbound connections to Vercel (used by the malware) where feasible.
- Use KQL Queries: Utilize KQL queries published by Microsoft to detect suspicious
Read the full article at Cyber Security News
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
2
Contents
Ali NematiWritten by Ali
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
