NHI Forum
Read full article here: https://www.oasis.security/blog/cursor-security-flaw/?utm_source=nhimg
A new research finding from Oasis Security reveals a serious security flaw in Cursor, the popular AI-powered code editor. The vulnerability allows malicious repositories to automatically execute code the moment they’re opened—without user consent. For developers and enterprises relying on Cursor, this represents a dangerous attack vector with real-world implications for supply chain security, cloud environments, and non-human identities (NHIs).
The Vulnerability: Auto-Execution on Folder Open
Cursor ships with Workspace Trust disabled by default, unlike Visual Studio Code. That means if a project contains a hidden autorun instruction, Cursor will execute it silently.
Here’s how the exploit works:
- A malicious actor commits a .vscode/tasks.json file into a repo.
- That file contains "runOptions.runOn": "folderOpen".
- When a developer opens the repo in Cursor, the IDE immediately runs the task — no warning, no consent.
From that moment, attackers can run arbitrary code in the developer’s session, enabling theft of API keys, modification of source code, or backdoor installation.
Why It Matters: Developer Laptops Are Goldmines
Unlike isolated servers, developer machines often contain:
- Cloud provider keys (AWS, GCP, Azure)
- Personal Access Tokens (PATs) for GitHub, GitLab, or Bitbucket
- API credentials for SaaS integrations
- Active sessions across critical enterprise tools
That makes an RCE on a dev laptop a perfect pivot point into CI/CD pipelines, cloud infrastructure, and even non-human identities (NHIs) that carry powerful permissions. In short, one booby-trapped repo could compromise an entire enterprise.
Who’s at Risk?
- Affected: Cursor users running default settings (Workspace Trust off).
- Lower risk: VS Code users, where Workspace Trust is enabled and autoruns are blocked until explicit trust is granted.
This highlights a core issue: security defaults matter. An insecure default in a widely used tool puts entire organizations at unnecessary risk.
How to Mitigate: Practical Steps
Oasis Security recommends immediate hardening for teams using Cursor:
- Enable Workspace Trust → Turn on trust prompts before running code.
- Disable automatic tasks → Set task.allowAutomaticTasks: "off".
- Open unknown repos in isolation → Use viewer-only editors, disposable containers, or VMs.
- Hunt & monitor →
- Scan repos for .vscode/tasks.json with "runOn": "folderOpen".
- Monitor for unusual shells or outbound traffic after opening projects.
Cursor has acknowledged the issue and says updated guidance will be published soon. But waiting isn’t a strategy, teams should act now.
Bigger Picture: AI Tools Expand the Attack Surface
This vulnerability isn’t just about Cursor. It’s part of a larger trend in AI-powered developer tools: powerful automation features, but insecure defaults. As AI agents and NHIs proliferate, the risk of hidden, supply-chain-style exploits only grows.
At Oasis Security, our mission is to secure the environments where AI agents, developer tools, and NHIs operate — from laptops to pipelines to cloud. By exposing risks like this Cursor flaw, we aim to give teams practical defenses against emerging attack vectors.