Cursor AI Code Editor getting hammered through compromised repositories

A security vulnerability has been identified in the AI-powered code editor Cursor, which could allow code execution when a maliciously crafted repository is opened. This issue arises from the default disabling of an important security feature known as Workspace Trust. According to Oasis Security, Cursor’s configuration permits VS Code-style tasks to auto-execute upon opening a project folder, which can lead to silent code execution if a malicious .vscode/tasks.json file is present. This flaw poses significant risks, as attackers can embed hidden “autorun” instructions in projects hosted on platforms like GitHub, enabling the execution of harmful code when users inadvertently browse these compromised repositories. The potential consequences include the leakage of sensitive credentials, file modifications, and broader system compromises, thereby exposing Cursor users to supply chain attacks.

To mitigate these risks, users are strongly advised to enable Workspace Trust in Cursor and to open untrusted repositories in alternative code editors for auditing before use. This vulnerability is part of a larger trend, as prompt injections and jailbreaks have emerged as systemic threats affecting AI-powered coding agents such as Claude Code and Cline. These threats allow malicious actors to embed harmful instructions that can trick AI systems into executing dangerous actions or leaking sensitive data. A recent report by Checkmarx highlighted how automated security reviews in Claude Code could inadvertently expose projects to risks, as developers might manipulate the AI into ignoring vulnerabilities. This situation underscores the importance of proper sandboxing and security measures to prevent the execution of malicious code in production environments.