Cursor AI Vulnerability Exposed Developer Devices

Summary

A vulnerability chain in Cursor AI, dubbed NomShub, could allow attackers to hijack developer machines through indirect prompt injection hidden in malicious repositories combined with a sandbox bypass and abuse of Cursor's remote tunnel feature. The attack requires no user interaction beyond opening a malicious repository and exploits shell builtins to escape macOS sandbox restrictions, overwrite shell configuration files, and gain persistent remote access via GitHub authorization. The issue was patched in Cursor 3.0 after discovery and responsible disclosure by Straiker in January–February 2026.

Full text

A vulnerability chain in Cursor AI could have allowed attackers to hijack developer machines via prompts hidden in malicious repositories, Straiker discovered. Dubbed NomShub, the attack chain exploits an indirect prompt injection in coding agents and a command sandbox bypass to write code to the user’s machine and abuse Cursor’s remote tunnel feature to gain shell access. According to Straiker, mounting an attack does not require any user interaction beyond opening a malicious repository in Cursor. Furthermore, because the exploited feature is a legitimate binary signed and notarized, an attacker can exploit Cursor to gain full file system access and command execution capabilities on macOS systems, where the coding editor runs without sandbox restrictions. Detecting the attack at the network level, Straiker says, is nearly impossible, as all the traffic goes through Microsoft Azure infrastructure. The issue, the cybersecurity firm explains, was that Cursor’s protections against agent-executed shell commands did not cover those executed within the shell (shell builtins), leaving the parser blind to working directory changes, manipulated environment variables, and altered shell execution context.Advertisement. Scroll to continue reading. Because the macOS seatbelt sandbox allows writes to the home directory, builtins could be used to escape the sandbox and overwrite the .zshenv file, which is executed by every new Zsh shell instance, including Terminal windows, application-spawned shells, invoking scripts, and the Cursor terminal. An attacker could inject prompts in a repository’s README.md file and trick the user into opening the repository in Cursor. When the AI reads the README, it follows the injected instructions, executes the sandbox escape, and runs a tunnel exploitation script. To abuse Cursor’s built-in tunnel and gain remote access to the victim’s system, the attacker also instructs the agent to generate a device code and send it to the attacker’s server. The code is necessary to authorize an authenticated GitHub session through the tunnel. “The attacker’s GitHub account is now authorized to access the victim’s tunnel. Combined with the tunnel registration data (tunnel ID, cluster), the attacker can connect at any time,” Straiker says. As long as the process remains running, the GitHub authorization is not revoked, and the tunnel registration is not deleted, the attacker has persistent access to the machine. Straiker discovered the attack chain in January and reported it to Cursor in early February. A fix was included in Cursor 3.0. Related: By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks Related: Can We Trust AI? No – But Eventually We Must Related: Google DeepMind Researchers Map Web Attacks Against AI Agents Related: Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cisco Patches Critical Vulnerabilities in Webex, ISERansomware Hits Automotive Data Expert AutovistaCapsule Security Emerges From Stealth With $7 Million in Funding100 Chrome Extensions Steal User Data, Create BackdoorMirax RAT Targeting Android Users in EuropeTwo Vulnerabilities Patched in Ivanti Neurons for ITSM Fortinet Patches Critical FortiSandbox VulnerabilitiesSAP Patches Critical ABAP Vulnerability Latest News 53 DDoS Domains Taken Down by Law EnforcementGovernment Can’t Win the Cyber War Without the Private SectorOpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos RevealData Breach at Tennessee Hospital Affects 337,000Artemis Emerges From Stealth With $70 Million in FundingSplunk Enterprise Update Patches Code Execution VulnerabilityMicrosoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestNIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — NomShub

Entities