CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Cursor AI editor autoruns malicious code in repositories

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

A flaw in the Cursor AI editor allows malicious code in repositories to autorun on developer devices. This vulnerability can lead to malware execution, environment hijacking, and credential theft. The issue arises from Cursor disabling the Workspace Trust feature from VS Code, which prevents automatic task execution without explicit user consent. The flaw affects one million users who generate over a billion lines of code daily. The Cursor team has decided not to fix the issue, citing the need to maintain AI and other features. They recommend users enable Workspace Trust manually or use basic text editors for unknown projects. The flaw is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding tools.

Timeline

  1. 10.09.2025 18:46 📰 2 articles · ⏱ 3d ago

    Cursor AI editor flaw allows autorun of malicious code in repositories

    A flaw in the Cursor AI editor, stemming from the disabling of the Workspace Trust feature, allows malicious code in repositories to autorun on developer devices. This vulnerability can lead to malware execution, environment hijacking, and credential theft. The Cursor team has decided not to fix the issue, citing the need to maintain AI and other features. They recommend users enable Workspace Trust manually or use basic text editors for unknown projects. The flaw allows attackers to execute malicious code when a user opens a repository with a .vscode/tasks.json file. The vulnerability can be exploited to leak sensitive credentials, modify files, or serve as a vector for broader system compromise. Users are advised to enable Workspace Trust in Cursor, open untrusted repositories in a different code editor, and audit them before opening them in Cursor. The flaw in Cursor is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding tools. The flaw in Cursor is one of several vulnerabilities affecting AI-powered coding tools, including WebSocket authentication bypasses, SQL injection, path traversal, and authorization vulnerabilities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical SAP NetWeaver Command Execution Vulnerabilities Patched

SAP has patched three critical vulnerabilities in NetWeaver, its middleware for business applications. The most severe flaw, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via insecure deserialization. Two other critical issues, CVE-2025-42922 and CVE-2025-42958, enable authenticated users to upload arbitrary files and unauthorized users to access administrative functions. These vulnerabilities affect SAP's ERP, CRM, SRM, and SCM applications, widely used in large enterprise networks. The patches come amid ongoing exploitation of another critical SAP vulnerability, CVE-2025-42957, which affects S/4HANA, Business One, and NetWeaver products. SAP released 21 new and four updated security notes on September 2025 patch day, including updates for NetWeaver AS ABAP and other SAP products. SAP has also released a patch for a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1).

Open in new tab

Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.

Open in new tab

Model Namespace Reuse Attack Demonstrated Against AI Supply Chains

Researchers at Palo Alto Networks have demonstrated a new AI supply chain attack method, Model Namespace Reuse, which targets platforms like Hugging Face. This method allows attackers to register names of deleted or transferred models, deploying malicious AI models and achieving arbitrary code execution. The attack was successfully demonstrated against Google’s Vertex AI and Microsoft’s Azure AI Foundry, and it poses a risk to open-source projects. The attack method exploits the reuse of model names, enabling threat actors to register accounts with targeted developer names and create malicious models. This can lead to unauthorized access to underlying infrastructure and initial access points into user environments. Thousands of open-source repositories are potentially vulnerable to this attack. Google, Microsoft, and Hugging Face have been notified, and Google has started daily scans to mitigate the risk. Palo Alto Networks recommends pinning models to specific commits, cloning models, and scanning code for model references to enhance security.

Open in new tab

Exploit chain in Sitecore Experience Platform enables remote code execution

Three new vulnerabilities in the Sitecore Experience Platform can be chained to achieve remote code execution (RCE). The flaws include HTML cache poisoning, RCE through insecure deserialization, and information disclosure via the ItemService API. Patches for these vulnerabilities were released in June and July 2025. The exploit chain leverages a combination of pre-authentication and post-authentication vulnerabilities to compromise fully-patched instances of the platform. Additionally, a zero-day vulnerability (CVE-2025-53690) has been exploited by threat actors to deliver malware, including WeepSteel, and perform extensive reconnaissance and lateral movement. The flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2025 Sitecore guides. The attackers target the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690. The malicious payload dropped by the attackers is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information. The attack observed by Mandiant stemmed from a documentation issue involving sample machine keys provided for customer use. Sitecore advised customers to rotate and secure ASP.NET machine keys, encrypt elements in web.config files, and restrict access to administrators only. CISA has ordered FCEB agencies to update their Sitecore instances by September 25, 2025.

Open in new tab

AI-Driven Exploit Generation Reduces Time to Proof-of-Concept to 15 Minutes

A new AI-powered system, Auto Exploit, developed by Israeli researchers, generates proof-of-concept exploits for vulnerabilities in open-source software in under 15 minutes. The system uses large language models (LLMs) to analyze CVE advisories and patches, creating exploits for 14 vulnerabilities. This development highlights the potential for rapid, automated exploit creation, significantly reducing the time defenders have to respond to new vulnerabilities. The system leverages Anthropic's Claude-sonnet-4.0 model to analyze advisories and code patches, generating exploit code and validating it against vulnerable and patched applications. The researchers emphasize that this capability could be used by both financially motivated attackers and nation-state actors, increasing the risk of N-day exploits. The ease of bypassing LLM guardrails and the low cost of generating exploits underscore the need for defenders to adapt to faster exploitation cycles and focus on reachability analysis to prioritize vulnerability remediation.

Open in new tab