Fake Gemini npm Package Targets AI Developers in New Supply Chain Attack

Summary

On April 7, 2026, a supply chain attack has been identified involving a malicious npm package named gemini-ai-checker, designed to steal credentials and sensitive data from AI development environments.

The package masqueraded as a utility for validating Google Gemini API tokens but instead deployed malware capable of credential theft, file exfiltration, and persistent access.

The activity has been linked to OtterCookie malware, associated with the Contagious Interview campaign, attributed to North Korean (DPRK) threat actors.

Research Source

According to Cyber and Ramen analysts, the malicious payload was traced to infrastructure and techniques consistent with previously documented DPRK-linked campaigns.

The malware variant closely matches activity reported by Microsoft in March 2026, indicating the campaign has been active since at least October 2025.

Technical Details

The attack leveraged a malicious npm package disguised as a legitimate developer tool.

Key characteristics:

• Package name: gemini-ai-checker
• Hosted under attacker-controlled account (gemini-check)
• Delivered payload via Vercel staging server
• Fileless execution using Function.constructor
• Obfuscated C2 configuration split across variables

Attack flow:

Developer installs malicious npm package
Package contacts Vercel-hosted server
Retrieves malicious payload
Executes payload in memory (no disk write)
Establishes connection to attacker C2 infrastructure
Observed Attack Activity

Threat Actor
• DPRK-linked operators (Contagious Interview campaign)
• Malware: OtterCookie

Infrastructure
• Vercel staging domain for payload delivery
• C2 server: 216.126.237.71
• Communication via multiple dedicated ports

Malware Capabilities

Remote Access
• Establishes persistent backdoor via Socket.IO

Credential Theft
• Browser credentials
• API tokens and session data
• Cryptocurrency wallets (25+ including MetaMask, Exodus)

AI Tool Targeting
• Cursor
• Claude
• Windsurf
• Gemini CLI
• PearAI
• Eigent

Data Exfiltration
• Source code
• API keys
• Developer files
• Chat logs and AI interaction data

Persistence & Evasion
• Fileless payload execution
• Obfuscated configuration
• Clipboard monitoring every 500ms
• Multi-process modular architecture

Impact

Successful compromise may allow attackers to:

• Steal AI API tokens and credentials
• Access sensitive source code and development data
• Compromise developer environments
• Monitor user activity via clipboard tracking
• Gain persistent remote access
• Enable further supply chain attacks using stolen tokens

Because AI tools often store sensitive project data and credentials, this attack poses a high risk to both individual developers and organizations.

Mitigation

Recommended response actions:

Remove malicious npm packages immediately
Audit all dependencies for suspicious packages
Rotate all exposed credentials:
• API keys
• Tokens
• Wallet credentials
Monitor outbound connections (especially to Vercel domains)
Inspect Node.js processes for unusual behavior
Validate package authenticity before installation
Avoid installing unverified or newly published packages
Secure sensitive directories (.cursor, .claude, .aws, .ssh)

Organizations should assume compromise if the package was installed.

References
• Cyber and Ramen Analysis – Malicious Gemini npm Package
• Cyber Security News – Fake Gemini npm Package Steals Tokens (April 7, 2026)
• Microsoft Threat Intelligence – OtterCookie Malware (March 2026)
• https://cybersecuritynews.com/hackers-use-fake-gemini-npm-package/