Malicious npm Package ‘gemini-ai-checker’ Targets AI Developers
A recent supply chain attack has emerged, specifically targeting software developers utilizing AI coding tools. On March 20, 2026, a threat actor introduced a malicious npm package named `gemini-ai-checker` under the account `gemini-check`. This package was deceptively presented as a utility for verifying Google Gemini AI tokens, aiming to exploit the trust of developers.
Deceptive Presentation and Installation
The `gemini-ai-checker` package was designed to appear legitimate, with its README file replicating content from an unrelated JavaScript library, `chai-await-async`. This misdirection was a subtle red flag that many developers might have overlooked. Upon installation, the package covertly connected to a Vercel-hosted server at `server-check-genimi.vercel.app` to download and execute a JavaScript payload on the victim’s machine.
Connection to Known Malware
Analysts from Cyber and Ramen identified the payload as `OtterCookie`, a JavaScript backdoor associated with the `Contagious Interview` campaign, which has been linked to North Korean (DPRK) threat actors. This variant closely resembles one documented by Microsoft in March 2026, active since October 2025.
Additional Malicious Packages
The same threat actor was responsible for two other packages: `express-flowlimit` and `chai-extensions-extras`, all utilizing the same Vercel infrastructure. Collectively, these packages amassed over 500 downloads. While `gemini-ai-checker` was removed just before April 1, 2026, the other two remained available and continued to be downloaded.
Targeting AI Developer Tools
This campaign is notable for its explicit focus on AI developer tools. Beyond stealing browser credentials and cryptocurrency wallets, the malware was engineered to access directories used by AI tools such as Cursor, Claude, Windsurf, PearAI, Gemini CLI, and Eigent AI. This exposure risked developer API keys, conversation logs, and source code.
Infection Mechanism
The infection process was meticulously crafted to evade detection. The `gemini-ai-checker` package, comprising 271kB across 44 files with four dependencies, was structured to resemble a legitimate project, complete with a SECURITY markdown file to enhance its credibility.
Within the package, a file named `libconfig.js` fragmented the command-and-control (C2) configuration—comprising the staging domain, authentication token, path, and bearer token—into separate variables. This fragmentation obscured the complete URL, making it harder for scanning tools to detect. During installation, `libcaller.js` reassembled these components and sent an HTTP GET request to the Vercel endpoint, retrying up to five times until a valid response was received.
If the server returned a 404 response containing a token field, the payload executed directly in memory using `Function.constructor`, a method chosen over `eval` to avoid detection by static analysis tools. This approach ensured that nothing was written to disk, complicating detection by traditional security measures.
Payload Architecture
The decoded payload revealed a four-module architecture, each operating as a separate Node.js process connected to the C2 server at `216.126.237.71` across dedicated ports:
– Module 0: Established remote access via Socket.IO.
– Module 1: Targeted browser databases and over 25 cryptocurrency wallets, including MetaMask and Exodus.
– Module 2: Scanned the home directory for sensitive files, such as SSH keys and configuration files.
– Module 3: Monitored and exfiltrated data from AI development tools, including API keys and conversation logs.
Implications and Recommendations
This incident underscores the growing sophistication of supply chain attacks, particularly those targeting the AI development community. Developers are advised to exercise heightened vigilance when incorporating third-party packages into their projects. Key recommendations include:
– Verify Package Authenticity: Scrutinize the source and credibility of npm packages before installation.
– Monitor Dependencies: Regularly review and update project dependencies to mitigate potential vulnerabilities.
– Implement Security Tools: Utilize security tools capable of detecting anomalous behavior in installed packages.
– Stay Informed: Keep abreast of emerging threats and advisories related to software supply chain security.
By adopting these practices, developers can better protect their projects and sensitive information from malicious actors exploiting trusted ecosystems.
