Cursor Issue Paves Way for Credential-Stealing Attacks www.darkreading.com/vulnerabi…
An inherent insecurity in the increasingly popular artificial intelligence (AI)-powered developer environment Cursor allows attackers to take over its browser to deliver credential-stealing attacks. The flaw allows for JavaScript injection to circumvent Cursor’s own controls, and demonstrates a threat to the overall agentic AI-assisted developer ecosystem.
Researchers at cybersecurity vendor Knostic discovered the attack vector, which exploits Cursor’s failure to perform integrity checks on features specific to the development environment, according to a recent blog post. Other coding environments, such as Visual Studio (VS) Code, perform these checks and, thus, add a security layer the Cursor AI environment doesn’t have.
“That difference makes Cursor’s runtime components a higher-risk target for tampering,” Knostic researcher Dor Munis wrote in the post. Indeed, researchers have discovered various weaknesses and flaws in these emerging AI-assisted developer tools that pose new threats to the software development supply chain.
