Developer Alert: “CursorJack” Technique Weaponizes Deeplinks to Hijack Cursor IDE

Security researchers at Proofpoint Threat Research have detailed a novel exploitation method dubbed CursorJack, which targets the popular AI-powered code editor, Cursor. The technique exploits the way the IDE handles Model Context Protocol (MCP) deeplinks, potentially allowing attackers to execute arbitrary code or install malicious remote servers on a developer’s workstation.

As AI-native development tools become standard in the industry, this discovery highlights a critical new frontier for supply chain attacks targeting high-value engineering targets.

Cursor utilizes custom URL schemes, known as deeplinks, to simplify the installation of MCP servers. However, researchers found that the cursor:// protocol handler can be manipulated through social engineering to trigger unintended actions.

“In our tests, a single click followed by user acceptance of an install prompt could result in arbitrary command execution”.

The vulnerability exists in the default UI flow, where there is “currently no visual distinction between a malicious MCP install deeplink and a legitimate one”. This lack of clarity allows an attacker to hide harmful arguments within a command string, often using long paths to push the malicious parts “outside the preview window” to reduce user scrutiny.

The CursorJack technique is versatile, offering attackers two primary paths for exploitation:

1. Local Code Execution: By abusing the command parameter within the deeplink, an attacker can execute arbitrary OS commands directly on the host machine.
2. Malicious Server Installation: Alternatively, an attacker can use the URL parameter to install a malicious remote MCP server. This grants the attacker a persistent foothold within the developer’s AI environment.

The researchers emphasize that developers are particularly attractive victims for nation-state actors and cybercriminals alike.

“Developers are potentially high-value targets as their workstations may have privileged accounts or contain credentials, API keys, source code and other sensitive data”.

A compromise of a single developer’s machine can serve as a jumping-off point for a much larger breach of a company’s internal source code and production infrastructure.

Proofpoint argues that the current “approval-based” security model is insufficient. They compare the current state of MCP deeplinks to the historical abuse of Microsoft Office macros, where attackers manipulated users into enabling malicious code.

You can find the Proof of Concept (POC) code for the CursorJack technique at the GitHub repository