Cursor AI Code Editor Flaw Lets Hackers Run Code Silently via Malicious Repositories

A serious security problem has been discovered in Cursor, the AI-powered code editor. Researchers revealed that malicious code can run on a developer’s computer the very moment a project folder is opened in Cursor, and the frightening part is that it happens without any warning or confirmation prompt.

The flaw exists because Cursor ships with its Workspace Trust setting turned off by default. Workspace Trust is designed to ask users before running certain tasks or files when opening new projects. With this feature disabled, Cursor automatically allows project configuration files to execute hidden tasks silently.

Attackers can easily take advantage of this weakness. By creating a malicious repository and including a hidden file called .vscode/tasks.json, they can configure it with the option runOptions.runOn: “folderOpen”. Once a developer opens that repository in Cursor, the code inside this file runs immediately, giving attackers a direct path to the system.

The consequences of such an attack are extremely dangerous. Developers often store sensitive information on their machines, such as API keys, cloud credentials, personal access tokens, and active login sessions. If attackers gain access through this flaw, they could steal these secrets, alter codebases, or even install backdoors. From there, they could escalate their attack to target larger systems like CI/CD pipelines, cloud environments, or production servers.

Security teams also discovered related vulnerabilities named “CurXecute” and “MCPoison.” These flaws involve how Cursor interacts with its Model Context Protocol (MCP) servers. They allow attackers to tamper with trusted configurations or inject malicious commands through MCP servers. In some cases, the commands can run silently, making them harder to detect. These issues highlight how integrating AI and external protocols into developer tools creates new risks if security checks are not strict.

Cursor has released updates to fix the MCP-related vulnerabilities and has advised users to update their editor immediately. However, responsibility also falls on developers to make sure their settings are secure. Relying on default configurations is no longer safe in this case.

There are several practical steps that every developer should take. The first is to enable Workspace Trust inside Cursor so that projects cannot run tasks without explicit approval. This ensures that when a suspicious repository is opened, the editor will ask for confirmation before running anything hidden. Another important step is to set task.allowAutomaticTasks to “off,” which blocks automatic execution altogether.

Developers should also be cautious when opening unfamiliar repositories. It is always good practice to inspect .vscode/tasks.json or similar configuration files before launching a project locally. Using sandboxed or isolated environments, such as virtual machines or containers, can also limit the damage if a malicious repository is opened by mistake.

This flaw is a reminder that developer tools have become high-value targets. They are no longer just text editors; they are connected platforms that handle AI models, external services, and integrated workflows. While this makes them powerful, it also means they present a larger attack surface. Attackers understand this and are now targeting the tools that developers trust most.

The discovery of this flaw in Cursor proves that strong default security is essential. Developers and organizations must stay updated, apply security patches quickly, and enable all available safety features. In an age where cybercriminals are exploiting every gap, the smallest oversight like a disabled Workspace Trust option can open the door to serious compromises.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news