Cursor AI Vulnerability Exposed Developer Devices

A vulnerability chain in Cursor AI could have allowed attackers to hijack developer machines via prompts hidden in malicious repositories, Straiker discovered. Dubbed NomShub, the attack chain exploits an indirect prompt injection in coding agents and a command sandbox bypass to write code to the user’s machine and abuse Cursor’s remote tunnel feature to gain shell access. According to Straiker, mounting an attack does not require any user interaction beyond opening a malicious repository in Cursor. Furthermore, because the exploited feature is a legitimate binary signed and notarized, an attacker can exploit Cursor to gain full file system access and command execution capabilities on macOS systems, where the coding editor runs without sandbox restrictions. Detecting the attack at the network level, Straiker says, is nearly impossible, as all the traffic goes through Microsoft Azure infrastructure. The issue, the cybersecurity firm explains, was that Cursor’s protections against agent-executed shell commands did not cover those executed within the shell (shell builtins), leaving the parser blind to working directory changes, manipulated environment variables, and altered shell execution context. Because the macOS seatbelt sandbox allows writes to the home directory, builtins could be used to escape the sandbox and overwrite the .zshenv file, which is executed by every new Zsh shell instance, including Terminal windows, application-spawned shells, invoking scripts, and the Cursor terminal. An attacker could inject prompts in a repository’s README.md file and trick the user into opening the repository in Cursor. When the AI reads the README, it follows the injected instructions, executes the sandbox escape, and runs a tunnel exploitation script. To abuse Cursor’s built-in tunnel and gain remote access to the victim’s system, the attacker also instructs the agent to generate a device code and send it to the attacker’s server. The code is necessary to authorize an authenticated GitHub session through the tunnel. “The attacker’s GitHub account is now authorized to access the victim’s tunnel. Combined with the tunnel registration data (tunnel ID, cluster), the attacker can connect at any time,” Straiker says. As long as the process remains running, the GitHub authorization is not revoked, and the tunnel registration is not deleted, the attacker has persistent access to the machine. Straiker discovered the attack chain in January and reported it to Cursor in early February. A fix was included in Cursor 3.0. Related: By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks Related: Can We Trust AI? No – But Eventually We Must Related: Google DeepMind Researchers Map Web Attacks Against AI Agents Related: Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cisco Patches Critical Vulnerabilities in Webex, ISE Ransomware Hits Automotive Data Expert Autovista Capsule Security Emerges From Stealth With $7 Million in Funding 100 Chrome Extensions Steal User Data, Create Backdoor Mirax RAT Targeting Android Users in Europe Two Vulnerabilities Patched in Ivanti Neurons for ITSM  Fortinet Patches Critical FortiSandbox Vulnerabilities SAP Patches Critical ABAP Vulnerability Latest News 53 DDoS Domains Taken Down by Law Enforcement Government Can’t Win the Cyber War Without the Private Sector OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal Data Breach at Tennessee Hospital Affects 337,000 Artemis Emerges From Stealth With $70 Million in Funding Splunk Enterprise Update Patches Code Execution Vulnerability Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking Contest NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email