Critical 'NomShub' Vulnerability in Cursor AI Editor Allows for Complete Developer Machine Hijacking

Executive Summary

Security researchers at Straiker have discovered a critical vulnerability chain in the Cursor AI coding editor that could lead to a full compromise of a developer's machine. The attack, dubbed NomShub, enables an attacker to gain remote code execution (RCE) with no user interaction other than the developer opening a malicious code repository. The exploit cleverly combines a prompt injection in the editor's AI agent with a sandbox bypass, allowing the attacker to gain shell access. This represents a significant supply chain risk, as a compromised developer machine can be used to inject malicious code into software projects. The attack is also highly evasive, as its malicious traffic is tunneled through legitimate Microsoft Azure infrastructure.

Vulnerability Details

The 'NomShub' attack is not a single flaw but a chain of vulnerabilities that work in concert:

1. Indirect Prompt Injection: The attacker crafts a malicious file within a code repository. When a developer opens this repository in the Cursor editor, the AI coding agent processes the file. The file contains hidden instructions (a prompt injection) that command the AI agent to perform malicious actions.
2. Command Sandbox Bypass: Cursor has protections to prevent its AI agent from executing arbitrary shell commands. However, the researchers found a bypass. The sandbox did not properly restrict shell 'builtin' commands, which are part of the shell itself rather than separate executables. This blind spot allowed the injected prompt to execute commands that manipulate the shell's environment.
3. Remote Tunnel Abuse: The malicious commands executed via the sandbox bypass abuse Cursor's legitimate remote tunnel feature. This feature is intended for collaborative coding but can be repurposed by the attacker to open a reverse shell, granting them full interactive access to the developer's machine.

This attack chain falls under the MITRE ATT&CK category T1195.001 - Compromise Software Dependencies and Development Tools.

Affected Systems

• Software: Cursor AI coding editor.
• Users: Software developers using the affected versions of Cursor.
• Platforms: The impact is particularly severe on macOS, where the editor runs without sandbox restrictions, potentially giving the attacker full file system access.

Exploitation Status

The vulnerabilities were discovered by security researchers who developed a proof-of-concept (PoC) exploit. There is no evidence of in-the-wild exploitation at this time. The researchers at Straiker have responsibly disclosed the findings.

Impact Assessment

A successful 'NomShub' attack has a devastating impact. An attacker with a full shell on a developer's machine can:

• Steal Source Code and Credentials: Access private repositories, API keys, passwords, and other secrets stored on the machine.
• Inject Malicious Code: Modify source code to inject backdoors, spyware, or other malware into the software projects the developer is working on. This creates a major Supply Chain Attack risk.
• Pivot into the Corporate Network: Use the compromised developer machine as a beachhead to move laterally into the broader corporate network.

The attack's stealth is a major concern. Because the reverse shell traffic is tunneled through Microsoft Azure domains used by Cursor, it is nearly impossible to detect using traditional network-level firewalls or IDS systems, as the traffic appears legitimate.

Detection Methods

Detecting this specific attack is challenging due to its evasive nature.

• Endpoint Detection and Response (EDR): An EDR solution might detect the final stage of the attack, where Cursor's process spawns an unexpected shell (e.g., sh, bash). Monitoring for processes that open outbound network connections to unexpected destinations, even within a trusted domain like Azure, could be an indicator. This is an application of D3-PA: Process Analysis.
• Code Scanning: While difficult, static analysis tools could potentially be configured to scan for the types of malformed files or prompt injection syntax used in the attack, but this would be highly specific and not a general solution.

Remediation Steps

1. Update Immediately: Users of the Cursor AI editor should update to the latest version as soon as a patch is made available by the developers.
2. Vet Repositories: Developers should exercise caution when opening or cloning code repositories from untrusted or unknown sources.
3. Use Sandboxing: On platforms where it's possible, run development tools like AI code editors inside a sandboxed or virtualized environment to limit their access to the underlying operating system and file system. This aligns with M1048 - Application Isolation and Sandboxing.