The Gemini Trap: How a Fake AI Token Checker Stealthily Hijacks Developer Workstations

An ostensibly innocuous package for validating Google Gemini tokens manifested within the npm repository, yet beneath its rudimentary facade lurked a sophisticated instrument of subversion capable of compromising a developer’s environment.

On March 20, 2026, an entity designated as gemini-check promulgated the gemini-ai-checker package, masquerading it as a utility for the verification of Gemini artificial intelligence credentials. Paradoxically, the documentation within the README was plagiarized from an entirely unrelated project, the chai-await-async library, which bears no affinity for Gemini—a discrepancy that served as a primordial harbinger of deception.

Upon installation, the package interrogated an intermediary server hosted on the Vercel platform to ingest supplementary code. Subsequently, it executed the retrieved script directly within the system’s volatile memory, eschewing the creation of tangible files on the disk. This evasive maneuver is specifically engineered to circumvent traditional defensive perimeters.

Two additional packages utilizing an identical delivery vector, express-flowlimit and chai-extensions-extras, were discovered on the same account. Collectively, these have been retrieved over 500 times and remain accessible within the repository.

Forensic analysis of the code reveals a striking resemblance to the OtterCookie backdoor, an artifact linked to the Contagious Interview campaign and the machinations of North Korean syndicates. The malignant software functions as a modular ensemble, spawning multiple Node.js processes upon invocation.

One module establishes a clandestine gateway to the host, empowering a remote operator to govern the system, capture screen telemetry, and manipulate peripheral inputs. A secondary module exfiltrates credentials from browsers such as Chrome, Brave, and Microsoft Edge, while concurrently harvesting telemetry from over 25 cryptocurrency repositories, including MetaMask and Exodus.

A discrete component scrutinizes the file system for extensions such as .env, .key, .json, and .pdf, exfiltrating their contents to a command-and-control server. Concurrently, another module monitors the clipboard, transmitting its contents to the adversaries at half-second intervals.

A novel characteristic of this iteration is its predatory focus on data belonging to AI-augmented developmental tools. The code explicitly interrogates directories associated with Cursor, Claude, Gemini CLI, and Windsurf, seeking to unearth access keys, inquiry histories, and fragments of proprietary source code.

Such a selection of targets is profoundly calculated; as AI instruments become inextricably woven into the developer’s workflow, they serve as conduits for sensitive intelligence. When synthesized with purloined access keys for servers and cloud infrastructures, these artifacts grant an assailant the opportunity to infiltrate corporate bastions.

While gemini-ai-checker was purged on the eve of April 1st, its associated projects persist in their dissemination. This narrative serves as a poignant reminder that software supply chain incursions remain a formidable weapon, with malignant packages appearing within repositories with a celerity that often outpaces their detection and neutralization.