Fake Gemini npm Package Steals AI Tool Tokens
Malicious actors are exploiting a counterfeit Gemini-themed npm package to pilfer tokens and secrets from developers utilizing AI coding tools like Claude, Cursor, Windsurf, PearAI, and others.
The README text was copied from the unrelated chai-await-async library, a mismatch that should have been a red flag for careful reviewers.
Analysis revealed the package contacting a Vercel-hosted endpoint, server-check-genimi.vercel.app, to download and execute additional JavaScript during installation.
According to the report, On March 20, 2026, an npm user “gemini-check” uploaded a package called gemini-ai-checker, claiming it could verify Google Gemini AI tokens.
This same account also hosted two related malicious packages, express-flowlimit and chai-extensions-extras, which saw hundreds of downloads and remained available in early April 2026.
Delivery and C2 Behavior
The gemini-ai-checker package mimics a modern Node.js project with four dependencies, 44 files, and a 271 kB footprint, including typical-looking SECURITY and documentation files to appear legitimate.
The malicious packages leverage README documentation and dependency structures designed to appear credible to users installing software quickly.

Its command-and-control (C2) configuration resides in lib/config.js, where the staging domain, path, version, and bearer token are split into variables so the full URL never appears as a single string.
During installation, lib/caller.js reconstructs the full URL and initiates an HTTP GET to server-check-genimi.vercel.app/defy/v3 with a custom bearrtoken: logo header, retrying up to five times.
If the server responds with HTTP 404 but includes a token field in the body, the code passes that value into Function.constructor and executes it with access to require, keeping the payload completely in-memory and avoiding disk writes that could trigger static or traditional antivirus detection.

Shortly before April 1, 2026, the gemini-ai-checker package was removed from npm, but the two sibling packages tied to the same Vercel infrastructure remain live and continue to be installed.
Researchers recovered the JavaScript backdoor from the Vercel endpoint before takedown and found it heavily obfuscated, using shuffled string arrays and encoded index lookups so all meaningful strings and APIs are resolved at runtime.

- Module 0: Socket.IO-based remote access tool on port 4891, masquerading as vhost.ctl and enforcing a single running instance.
- Module 1: Credential stealer on port 4896, targeting browser credential stores and over 25 cryptocurrency wallets across Windows, macOS, and Linux.
- Module 2: File exfiltration on port 4899, scanning home directories for sensitive extensions (.env, .pem, .key, .json, .csv, .doc, .pdf, .xlsx) and other high-value paths.
- Module 3: Clipboard stealer on port 80, polling every 500 ms with a 3-second initial delay to evade sandbox-based behavioral detection.
The clipboard module and several other behaviors closely match OtterCookie, a JavaScript backdoor previously tied to the DPRK-linked “Contagious Interview” campaign and analyzed by Microsoft in March 2026.
The overlap in obfuscation patterns, module layout, Socket.IO usage, and fingerprinting logic supports a moderate-to-high confidence assessment that this is an active OtterCookie variant.
Beyond general credential theft, the exfiltration module explicitly hunts for directories tied to popular AI development tools.
These include .cursor (Cursor AI IDE), .claude (Anthropic Claude Code), .gemini (Gemini CLI), .windsurf (Windsurf AI IDE), .pearai (PearAI), and .eigent (Eigent AI), among others.
By harvesting API keys, tokens, and conversation logs from these locations, attackers can abuse high-cost AI services, steal proprietary source code, and combine this access with stolen SSH and cloud credentials for deeper enterprise compromise.
For defenders, monitoring and, where practical, restricting outbound connections to Vercel-hosted infrastructure can help surface suspicious package behavior.
Using Microsoft’s published KQL hunting queries for Contagious Interview and OtterCookie activity can assist in spotting similar multi-process Node.js backdoors and Socket.IO C2 traffic.
The campaign mirrors earlier npm supply-chain attacks that hijacked AI assistants and local AI CLIs to search for GitHub tokens, SSH keys, and wallet files, underscoring how deeply AI tools are now embedded in developer workflows.
Security teams should also rapidly report and request takedowns for newly published npm packages that spoof popular AI brands or show mismatched README content and dependencies.
Developers should treat AI tooling directories with the same sensitivity as .ssh, .aws, or .git, given the secrets and code they often contain.
Before installing, they should inspect npm packages for documentation inconsistencies, suspicious network code, and post-install behavior, and watch ecosystem alerts and social channels for reports of trojanized packages.
This campaign highlights that AI coding assistants are now high-value targets in software supply-chain attacks and that attackers are willing to weaponize seemingly helpful Gemini-themed utilities to reach them.
IOCs
| Type | Value | Purpose |
| Download URL | server-check-genimi.vercel[.]app/defy/v3 | Malicious domain serving OtterCookie |
| Download Token | logo | HTTP bearer token |
| C2 IP Address | 216.126.237[.]71:4891 (AS14956 – RouterHosting LLC) | RAT/C2 |
| C2 Port | 4896 | File exfiltration |
| C2 Port | 4899 | Credential Theft |
| C2 Endpoint | /api/service/makelog | Initial connection containing victim fingerprinting info |
| C2 Endpoint | /api/service/process | C2 command output reporting |