Cursor AI Vulnerability Enables Remote Machine Hijacking

The cybersecurity firm Straiker has uncovered a critical vulnerability chain in Cursor AI that could enable attackers to hijack developer machines through malicious repositories, according to a SecurityWeek report.

Named NomShub, the attack exploits an indirect prompt injection in Cursor's coding agents combined with a command sandbox bypass to write arbitrary code to the user's machine and abuse the editor's remote tunnel feature for persistent shell access. Crucially, no user interaction beyond opening a malicious repository in Cursor is required for exploitation.

Unlike typical vulnerabilities requiring user input or clicks, the attack leverages Cursor's legitimate binary signing and macOS notarization to bypass sandbox restrictions. The vulnerability stems from inadequate safeguards against shell commands executed within the shell (shell builtins), allowing attackers to manipulate environment variables and working directory changes to overwrite the .zshenv file—a critical configuration file executed by every new Zsh shell instance.

Attackers embed malicious prompts in repository README.md files, which the AI agent reads and executes when the repository is opened. The agent then generates a device code for GitHub authorization via Cursor's tunnel feature, granting persistent access to the victim's system as long as the process remains running. All traffic routes through Microsoft Azure infrastructure, making network-level detection nearly impossible.

Straiker discovered the vulnerability in January and reported it to Cursor before public disclosure. The incident highlights growing security risks in AI-assisted development tools, where automated code generation and dependency management create expanded attack surfaces. As Dan Lorenc of Chainguard noted in a separate announcement, "AI agents are making dependency decisions at a scale and speed no security team can manually review."

Developers using Cursor should exercise caution when opening repositories from untrusted sources, particularly those containing README files with unusual formatting. While Cursor has not publicly confirmed remediation steps, the vulnerability underscores the need for robust security practices in AI-powered development environments where code execution can occur without explicit user consent. The incident serves as a critical reminder that even signed and notarized applications can introduce security risks when integrated with AI-driven workflows.

Artūras Malašauskas is an AI Systems Integrator with 20+ years of production-grade web engineering experience. He has designed, shipped, and scaled enterprise Python/PHP systems for logistics, SaaS, and public-sector clients. For the past year, he has focused exclusively on AI integrations: deploying open-source LLMs, building generative media pipelines (image, audio, video), and engineering multi-agent workflows for real production environments. His standard: reproducibility, security, cost-efficient inference—no vaporware. He documents and evaluates emerging AI tooling, separating verified capabilities from marketing noise. Technical editor at: muza-ai.eu, ai-verslas.lt, ai-naujinos.lt Connect on LinkedIn