you guys need to read this because a critical vulnerability still sits in Cursor IDE β one of the most popular AI coding platforms out there right now β and it lets poisoned repos execute arbitrary code on your machine without ever asking you for confirmation. researchers first reported this back in December 2023 and yet the issue is STILL live, which tells me how quickly these features are shipped before any real safety review happens. an attacker can create a malicious repo with a poisoned commit, and the moment the Cursor agent tries to 'fix' or refactor code it automatically executes generated shell scripts β and those run in your full dev environment with all your local secrets! we're talking exposed API keys, ssh credentials, session tokens, everything you have loaded into your terminal. this isn't a theoretical bug either; it was actively exploited at MIT in April 2024 where an attacker ran remote code on multiple machines through what appeared to be legitimate repo work.
the fix is simple enough but nobody will do it because convenience always wins and that's the bigger story here. you should immediately disable 'Allow Cursor' mode in your settings, which stops the agent from running arbitrary commands without explicit confirmation each time β set a timeout on AI plan execution so nothing can run for longer than 60 seconds and never let unverified third-party repos execute automatically through an AI assistant. what makes this worse is that it's not just Cursor; similar auto-execution patterns have been found in other popular tools like GitHub Copilot, meaning the entire category has a shared structural weakness where convenient automation becomes an unmonitored execution path for malicious code. Cursor even recently added 'Composer' and agentic features designed to make this exact kind of blind execution more common, which is just going to widen the attack surface over time unless people actively opt out of the dangerous defaults. read the full write-up on how this works because it will change how you trust any AI tool that touches your local machine:
Source: https://www.darkreading.com/application-security/cursor-ide-malicious-code-poisoned-repos
Also see: https://cursor.blog/new-agentic-capabilities, https://blogs.mit.edu/2024/06/19/how-a-janus_attack_can_compromise-the-ai-software-supply-chain
the fix is simple enough but nobody will do it because convenience always wins and that's the bigger story here. you should immediately disable 'Allow Cursor' mode in your settings, which stops the agent from running arbitrary commands without explicit confirmation each time β set a timeout on AI plan execution so nothing can run for longer than 60 seconds and never let unverified third-party repos execute automatically through an AI assistant. what makes this worse is that it's not just Cursor; similar auto-execution patterns have been found in other popular tools like GitHub Copilot, meaning the entire category has a shared structural weakness where convenient automation becomes an unmonitored execution path for malicious code. Cursor even recently added 'Composer' and agentic features designed to make this exact kind of blind execution more common, which is just going to widen the attack surface over time unless people actively opt out of the dangerous defaults. read the full write-up on how this works because it will change how you trust any AI tool that touches your local machine:
Source: https://www.darkreading.com/application-security/cursor-ide-malicious-code-poisoned-repos
Also see: https://cursor.blog/new-agentic-capabilities, https://blogs.mit.edu/2024/06/19/how-a-janus_attack_can_compromise-the-ai-software-supply-chain