[{"data":1,"prerenderedAt":115},["ShallowReactive",2],{"article-slug-vulnerability-in-cursor-ai-editor-could-lead-to-hijacked-developer-machines":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":28,"sources":29,"events":36,"mitre_techniques":37,"mitre_mitigations":53,"d3fend_countermeasures":73,"iocs":82,"cyber_observables":83,"tags":101,"extract_datetime":106,"article_type":107,"impact_scope":108,"pub_date":33,"reading_time_minutes":114,"createdAt":106,"updatedAt":106},"327e2021-7690-45a2-b3e2-59cda0405956","vulnerability-in-cursor-ai-editor-could-lead-to-hijacked-developer-machines","Critical 'NomShub' Vulnerability in Cursor AI Editor Allows for Complete Developer Machine Hijacking","Vulnerability Chain in Cursor AI Editor Risks Developer Hijacking via Malicious Repository","A critical set of vulnerabilities in the Cursor AI coding editor, collectively named 'NomShub' by researchers at Straiker, could allow an attacker to gain full remote shell access to a developer's machine. The attack requires no user interaction beyond the victim opening a malicious code repository in the editor. The vulnerability chain combines a prompt injection with a command sandbox bypass, allowing the attacker to write malicious code and then abuse Cursor's remote tunnel feature for RCE. The attack is particularly stealthy as it routes traffic through legitimate Microsoft Azure infrastructure.","## Executive Summary\nSecurity researchers at Straiker have discovered a **critical vulnerability chain** in the **[Cursor AI](https://cursor.sh/)** coding editor that could lead to a full compromise of a developer's machine. The attack, dubbed **NomShub**, enables an attacker to gain remote code execution (RCE) with no user interaction other than the developer opening a malicious code repository. The exploit cleverly combines a prompt injection in the editor's AI agent with a sandbox bypass, allowing the attacker to gain shell access. This represents a significant supply chain risk, as a compromised developer machine can be used to inject malicious code into software projects. The attack is also highly evasive, as its malicious traffic is tunneled through legitimate **[Microsoft Azure](https://azure.microsoft.com/)** infrastructure.\n\n---\n\n## Vulnerability Details\nThe 'NomShub' attack is not a single flaw but a chain of vulnerabilities that work in concert:\n1.  **Indirect Prompt Injection:** The attacker crafts a malicious file within a code repository. When a developer opens this repository in the Cursor editor, the AI coding agent processes the file. The file contains hidden instructions (a prompt injection) that command the AI agent to perform malicious actions.\n2.  **Command Sandbox Bypass:** Cursor has protections to prevent its AI agent from executing arbitrary shell commands. However, the researchers found a bypass. The sandbox did not properly restrict shell 'builtin' commands, which are part of the shell itself rather than separate executables. This blind spot allowed the injected prompt to execute commands that manipulate the shell's environment.\n3.  **Remote Tunnel Abuse:** The malicious commands executed via the sandbox bypass abuse Cursor's legitimate remote tunnel feature. This feature is intended for collaborative coding but can be repurposed by the attacker to open a reverse shell, granting them full interactive access to the developer's machine.\n\nThis attack chain falls under the MITRE ATT&CK category [`T1195.001 - Compromise Software Dependencies and Development Tools`](https://attack.mitre.org/techniques/T1195/001/).\n\n## Affected Systems\n*   **Software:** Cursor AI coding editor.\n*   **Users:** Software developers using the affected versions of Cursor.\n*   **Platforms:** The impact is particularly severe on macOS, where the editor runs without sandbox restrictions, potentially giving the attacker full file system access.\n\n## Exploitation Status\nThe vulnerabilities were discovered by security researchers who developed a proof-of-concept (PoC) exploit. There is no evidence of in-the-wild exploitation at this time. The researchers at Straiker have responsibly disclosed the findings.\n\n## Impact Assessment\nA successful 'NomShub' attack has a devastating impact. An attacker with a full shell on a developer's machine can:\n*   **Steal Source Code and Credentials:** Access private repositories, API keys, passwords, and other secrets stored on the machine.\n*   **Inject Malicious Code:** Modify source code to inject backdoors, spyware, or other malware into the software projects the developer is working on. This creates a major **[Supply Chain Attack](https://en.wikipedia.org/wiki/Software_supply_chain)** risk.\n*   **Pivot into the Corporate Network:** Use the compromised developer machine as a beachhead to move laterally into the broader corporate network.\n\nThe attack's stealth is a major concern. Because the reverse shell traffic is tunneled through Microsoft Azure domains used by Cursor, it is nearly impossible to detect using traditional network-level firewalls or IDS systems, as the traffic appears legitimate.\n\n---\n\n## Detection Methods\nDetecting this specific attack is challenging due to its evasive nature.\n*   **Endpoint Detection and Response (EDR):** An EDR solution might detect the final stage of the attack, where Cursor's process spawns an unexpected shell (e.g., `sh`, `bash`). Monitoring for processes that open outbound network connections to unexpected destinations, even within a trusted domain like Azure, could be an indicator. This is an application of **[D3-PA: Process Analysis](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis)**.\n*   **Code Scanning:** While difficult, static analysis tools could potentially be configured to scan for the types of malformed files or prompt injection syntax used in the attack, but this would be highly specific and not a general solution.\n\n## Remediation Steps\n1.  **Update Immediately:** Users of the Cursor AI editor should update to the latest version as soon as a patch is made available by the developers.\n2.  **Vet Repositories:** Developers should exercise caution when opening or cloning code repositories from untrusted or unknown sources.\n3.  **Use Sandboxing:** On platforms where it's possible, run development tools like AI code editors inside a sandboxed or virtualized environment to limit their access to the underlying operating system and file system. This aligns with `M1048 - Application Isolation and Sandboxing`.","Critical 'NomShub' vulnerability in the Cursor AI coding editor could allow attackers to hijack a developer's machine just by opening a malicious repository. 💻 #Vulnerability #AI #DevSecOps #RCE","Researchers have discovered a critical vulnerability chain, 'NomShub,' in the Cursor AI editor that can be exploited to gain remote shell access to a developer's machine with no user interaction.",[13,14,15],"Vulnerability","Supply Chain Attack","Cloud Security","critical",[18,22,25],{"name":19,"type":20,"url":21},"Cursor AI","product","https://cursor.sh/",{"name":23,"type":24},"Straiker","security_organization",{"name":26,"type":20,"url":27},"Microsoft Azure","https://azure.microsoft.com/",[],[30],{"url":31,"title":32,"date":33,"friendly_name":34,"website":35},"https://www.securityweek.com/cursor-ai-vulnerability-exposed-developer-devices/","Cursor AI Vulnerability Exposed Developer Devices","2026-04-17","SecurityWeek","securityweek.com",[],[38,42,46,49],{"id":39,"name":40,"tactic":41},"T1195.001","Compromise Software Dependencies and Development Tools","Initial Access",{"id":43,"name":44,"tactic":45},"T1059","Command and Scripting Interpreter","Execution",{"id":47,"name":48,"tactic":45},"T1059.004","Unix Shell",{"id":50,"name":51,"tactic":52},"T1219","Remote Access Software","Command and Control",[54,64],{"id":55,"name":56,"d3fend_techniques":57,"description":62,"domain":63},"M1051","Update Software",[58],{"id":59,"name":60,"url":61},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","The primary mitigation is to update the Cursor AI editor to a patched version as soon as it becomes available.","enterprise",{"id":65,"name":66,"d3fend_techniques":67,"description":72,"domain":63},"M1048","Application Isolation and Sandboxing",[68],{"id":69,"name":70,"url":71},"D3-HBPI","Hardware-based Process Isolation","https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation","Run development tools in a containerized or virtualized environment to limit their access to the host operating system, mitigating the impact of a compromise.",[74,80],{"technique_id":75,"technique_name":76,"url":77,"recommendation":78,"mitre_mitigation_id":79},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","To detect the 'NomShub' attack, organizations should use an EDR solution capable of deep Process Analysis on developer workstations. The key detection opportunity lies in monitoring the behavior of the Cursor AI process itself. A high-fidelity alert should be created to trigger whenever the Cursor process spawns a direct child process that is a shell (e.g., `sh`, `bash`, `zsh`, `powershell.exe`). This is highly anomalous behavior for a code editor. While the editor may legitimately call compilers or build tools, spawning an interactive shell is a major red flag. Correlating this process creation event with a recent file-open operation on a new or untrusted repository would increase the confidence of the alert. This behavioral detection is crucial because the attack's network traffic is designed to be evasive by tunneling through legitimate Microsoft Azure infrastructure.","M1049",{"technique_id":59,"technique_name":60,"url":61,"recommendation":81,"mitre_mitigation_id":55},"The most direct and effective countermeasure for the 'NomShub' vulnerability is a timely Software Update. Organizations that permit the use of Cursor AI must have a robust patch management program for their development tools, not just operating systems and servers. Upon notification of this vulnerability, a policy should be enforced to push the patched version of Cursor AI to all developer endpoints immediately. This can be managed through enterprise software deployment tools. Furthermore, network access controls or application control policies could be temporarily implemented to block older, vulnerable versions of Cursor from running or accessing the network until they are updated. This ensures that the root cause of the vulnerability—the prompt injection and sandbox bypass—is eliminated from the environment, providing a definitive fix rather than relying on detective controls.",[],[84,90,96],{"type":85,"value":86,"description":87,"context":88,"confidence":89},"process_name","Cursor.exe","The Cursor AI editor process. Monitor this process for anomalous child processes, such as spawning 'sh', 'bash', or 'powershell.exe'.","EDR logs, Sysmon Event ID 1 (Process Creation).","high",{"type":91,"value":92,"description":93,"context":94,"confidence":95},"network_traffic_pattern","Persistent outbound connection from Cursor.exe to a Microsoft Azure IP","While normally legitimate, a long-lived, interactive-like connection established after opening a new repository could indicate the abused remote tunnel feature.","NetFlow analysis, EDR network connection logs.","low",{"type":97,"value":98,"description":99,"context":100,"confidence":95},"command_line_pattern","*shell built-in commands*","The exploit abuses shell built-ins. Advanced logging that captures commands executed within a shell session might reveal the attack.","Advanced EDR tools or shell audit logging.",[13,19,102,103,104,14,105],"RCE","Developer Security","AI","Prompt Injection","2026-04-17T15:00:00.000Z","Advisory",{"geographic_scope":109,"industries_affected":110,"other_affected":112},"global",[111],"Technology",[113],"Software developers using Cursor AI",4,1776444962010]