Security Debt in the Cursor Ecosystem: The disclosure isn’t an isolated scenario. Earlier this year, Cursor was already targeted by campaigns like CurXecute and MCPoison, along with npm package tampering aimed at macOS users. Barr warned that the .vscode/tasks.json issue is “just another piece of the same puzzle: attackers are looking deep into Cursor’s ecosystem to uncover any pathway to execution.”Cursor did not immediately respond to CSO’s request for comments.Hinting at a silver lining, Ford said, “Cursor is at the point where they’re being compared to (and increasingly targeted like) Microsoft’s Visual Studio. This is a cause for a high-five and a reckoning to further harden and expand enterprise security capabilities.” To mitigate the issue, Oasis researchers advise enabling Workspace Trust and taking extra care with unknown repositoriessuch as opening them elsewhere, reviewing them first, and limiting exposed secrets.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4054796/cursors-autorun-lets-hackers-execute-arbitrary-code.html
