Inside the 2-Click Exploit That Hijacks Dev Environments Via Cursor AI

The shift toward AI-assisted software engineering has introduced a massive shift in developer productivity, but it has also carved out entirely new vectors for cyberattacks. A stark reminder of this reality arrived following security research revealing that Cursor AI, a highly popular AI-native code editor used by over 64% of the Fortune 500, is susceptible to a dangerous “two-click” exploit.

Discovered by security researchers at Adversa AI and running parallel to deep-link flaws (often tracked under concepts like “CursorJack”), this exploit allows a remote attacker to silently compromise a developer’s workstation. The payload? A permission-rich Model Context Protocol (MCP) server that grants the attacker unrestricted, sandboxed-free access to the local machine.

Here is a breakdown of how the exploit functions, why development environments are the ultimate prize for modern threat actors, and how to defend against it.

The Core Threat Vector: Model Context Protocol (MCP)

To understand the severity of the exploit, one must understand the power of MCP. Built to connect AI models seamlessly to the local environment, MCP allows an AI agent to query databases, call external APIs, and execute local file-system operations.

However, in development tools like Cursor, MCP servers typically execute commands with the exact same privileges as the user who installed them. While this grants the AI the fluid access it needs to code efficiently, it also means a malicious MCP server acts as a stealthy, hyper-privileged backdoor.

Anatomy of the “Two-Click” Takeover

The attack chain relies on an old-school combination of UI obfuscation, social engineering, and deep-linking. It unfolds in three primary stages:

1. The Poisoned Pull Request (Click #1)

Because developers are trained not to click random configuration or installation links out of the blue, attackers weaponize routine code review habits. Researchers discovered they could use double URL encoding to conceal a Cursor installation deep-link (cursor://...) inside what appears to be a standard GitHub or GitLab Pull Request link.

When a developer clicks the link to review their colleague’s code, the browser intercepts the custom protocol handler and seamlessly opens the Cursor IDE.

2. The Truncated Dialog Box (Click #2)

Once inside the IDE, Cursor displays a pop-up confirmation dialog asking the user if they wish to install an MCP server.

This is where a classic user interface flaw comes into play. The confirmation window shows the name of the server, but the “Argument” field—the section displaying the exact commands the server will run—is horizontally constrained. An attacker can easily format the line so that a legitimate-looking string of code is visible, while hiding a string of malicious commands completely off-screen.

Believing they are simply accepting a repository-specific tool, the developer clicks “Install”.

3. Execution & Persistence

The moment the developer hits approve, the malicious configuration is written to the editor’s local settings (such as ~/.cursor/mcp.json). The attacker’s remote server immediately drops a payload—often establishing an active Meterpreter or command-and-control (C2) session. Because MCP processes run persistently alongside the editor, the malicious code can execute every single time Cursor is launched, entirely bypassing any internal application sandboxing.

Why Developers are High-Value Targets

Securing the developer workstation has traditionally been an afterthought compared to locking down production servers, but the explosion of AI coding tools has dramatically shifted the risk landscape. Compromising a developer’s machine yields an immediate treasure trove:

  • High-Value Credentials: Access tokens, cloud provider keys (AWS, Azure), and SSH keys used to push code.

  • Proprietary IP: Full access to local Git repositories, uncommitted source code, and underlying corporate architecture.

  • Supply Chain Amplification: A compromised developer profile allows attackers to quietly inject malicious snippets into version control or CI/CD pipelines, poisoning production software before it ever reaches deployment.

How to Protect Your Environment

Securing AI-assisted development setups requires moving past the assumption that local IDE extensions are inherently safe.

Defense CategoryMitigation Strategy
Immediate Editor TweaksDisable features like Auto-Run Mode for agents within your IDE configurations. Always audit the full text of an MCP setup by manually opening your global mcp.json if you suspect a link behaved strangely.
Zero-Trust ExtensionsTreat custom protocol handlers (like cursor://) with the same scrutiny as executable binaries. Never install an MCP server suggested via an external hyperlink, chat box, or unsolicited repository pull request.
Process MonitoringConfigure Endpoint Detection and Response (EDR) tools to flag anomalous network connections originating directly from Cursor background processes or unexpected local child processes.
Network & Secrets IsolationMove high-privilege operations to containerized development environments (like Devcontainers or Github Codespaces). Keeping your cloud tokens and production keys isolated ensures that even if a local editor exploit hits, the blast radius is strictly contained.

As AI agents grow more autonomous and deeply woven into our local workflows, the boundaries of trusted software will continue to blur. Staying secure requires updating patch cycles rapidly and maintaining rigid oversight over the third-party models and tools we invite into our terminals.

References

Primary Cybersecurity & Threat Intelligence Reports

  • Dark Reading Threat Analysis:

    • Citation: Nelson, N. (2026). 2-Click Cursor Exploit Enables Dev Environment Takeover. Dark Reading.

    • Context: This is the exclusive industry report detailing the Adversa AI findings regarding the deep-link obfuscation and truncated UI confirmation box vector used to plant malicious MCP servers.

    • URL: [https://www.darkreading.com/application-security/2-click-cursor-exploit-dev-environment-takeover](https://www.darkreading.com/application-security/2-click-cursor-exploit-dev-environment-takeover)

  • Proofpoint Threat Insight (CursorJack Research):

    • Citation: Proofpoint Threat Research Team. (2026). CursorJack: Weaponizing Deeplinks to Exploit Cursor IDE. Proofpoint Blog.

    • Context: Provides the concrete framework and proof-of-concept (PoC) illustrating how the cursor:// custom protocol handler can be abused alongside social engineering to write malicious strings directly to local mcp.json configs.

    • URL: [https://www.proofpoint.com/us/blog/threat-insight/cursorjack-weaponizing-deeplinks-exploit-cursor-ide](https://www.proofpoint.com/us/blog/threat-insight/cursorjack-weaponizing-deeplinks-exploit-cursor-ide)

  • Cloud Security Alliance (CSA) Research Note:

    • Citation: Cloud Security Alliance AI Safety Initiative. (2026). MCP Attack Surface: Tool Poisoning and IDE Auto-Execution. CSA Labs.

    • Context: A comprehensive look at the broader architectural risks of the Model Context Protocol across agentic developer tools, exploring how permission-rich environments are prone to tool poisoning.

    • URL: [https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-tool-poisoning-auto-execution-20260701/](https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-tool-poisoning-auto-execution-20260701/)

Vulnerability Databases & Technical Tracking

  • National Vulnerability Database (NVD) – CVE-2025-54133:

    • Identification: CVE-2025-54133 (UI Information Disclosure / Command Injection in Cursor Deeplink Handler).

    • Context: The official vulnerability record tracking the exact mechanism where the installation dialog fails to display hidden arguments passed via the cursor://anysphere.cursor-deeplink/mcp/install string.

    • URL: [https://nvd.nist.gov/vuln/detail/CVE-2025-54133](https://nvd.nist.gov/vuln/detail/CVE-2025-54133)

  • Mallory.ai Vulnerability Intel (CurXecute / CVE-2025-54135):

    • Identification: CVE-2025-54135.

    • Context: In-depth analysis of the underlying configuration exploits that allow external prompt injections to manipulate the creation of the .cursor/mcp.json files on local host machines.

    • URL: [https://www.mallory.ai/vulnerabilities/CVE-2025-54135](https://www.mallory.ai/vulnerabilities/CVE-2025-54135)

Facebook
Twitter
LinkedIn
WhatsApp
Reddit
Telegram
Inside the 2-Click Exploit That Hijacks Dev Environments Via Cursor AI
Scroll to top