A critical security weakness has been uncovered in the popular AI-powered Cursor code editor, exposing its one million users to the risk of automatic malware execution simply by opening a malicious repository. This vulnerability, which stems from a deliberate design choice, could enable sophisticated supply chain attacks, credential theft, and complete developer environment compromise without any user interaction.

The Core of the Vulnerability: Disabled Workspace Trust

Cursor is a fast-growing IDE forked from Microsoft’s Visual Studio Code (VS Code), renowned for its deep integration of AI assistants like GPT-4 and Claude. Researchers at Oasis Security discovered the root of the problem: Cursor disables VS Code’s crucial “Workspace Trust” feature by default.

Workspace Trust is a fundamental security boundary in VS Code. It prevents projects from automatically running tasks or executing code until the developer explicitly grants trust to the folder. By disabling this, Cursor automatically executes any tasks defined in a .vscode/tasks.json file the moment a project folder is opened—even if the user is just browsing the code.

How a Malicious Repository Exploits This Flaw

A threat actor can weaponize any public repository by adding a malicious tasks.json file. The potential impacts are severe and immediate upon opening the repo in Cursor:

• Credential & Token Theft: The automated task can harvest cloud credentials, API keys, and secrets from environment variables or configuration files.
• Malware Deployment: It can download and execute payloads, establishing a foothold on the developer’s machine.
• C2 Communication: The task can instantly call out to a command-and-control (C2) server, enabling remote access.
• Supply Chain Attack: This serves as a perfect vector to infect developers working on legitimate projects, potentially compromising entire software pipelines.

Cursor’s Controversial Stance: Security vs. Features

In a concerning response, the Cursor team informed researchers they have no intention of fixing this default behavior. Their rationale is that Workspace Trust “disables AI and other features our users want to use within the product.”

Instead of enabling Workspace Trust by default, Cursor suggests users either manually enable it themselves or use a basic text editor for untrusted projects. They have promised to update their security guidance to reflect this position.

How Developers Can Protect Themselves

Since the vendor will not address the risk, the responsibility falls on users to secure their environments. Oasis Security recommends the following urgent actions:

1. Manually Enable Workspace Trust: The primary defense is to turn this feature back on. You can find this setting in Cursor’s preferences.
2. Use VS Code for Unknown Repos: When cloning or opening an unfamiliar repository, use the standard VS Code editor, which has Workspace Trust enabled by default.
3. Audit Your Shell Profiles: Avoid storing sensitive credentials in global environment variables (e.g., in .bashrc or .zshrc), as these are prime targets for exfiltration.
4. Verify Before You Open: Scrutinize the source of a repository before opening it in Cursor, especially if it’s from an unvetted source.

This incident highlights the ongoing tension between cutting-edge functionality and foundational security practices in the rapidly evolving AI tooling landscape.