A newly disclosed flaw in the Cursor extension allows repositories to automatically execute code when a folder is opened, even without a developer's consent.
The issue stems from the extension's "autorun" feature, which launches commands tied to workspace events, such as opening a project.
Researchers at Oasis Security found that malicious actors could craft repositories that exploit this functionality. By embedding hidden instructions, attackers can trigger unauthorized code execution the moment a user opens the repository in Visual Studio Code with Cursor installed.
The discovery highlights how supply chain threats are evolving beyond dependency hijacking. Instead of waiting for a developer to run scripts or install packages, adversaries can now weaponize something as routine as opening a folder.
"The Oasis Security team's findings highlight a serious but often overlooked risk: the silent execution of malicious code through development environments," said Heath Renfrow, CISO at Fenix24.
Randolph Barr, CISO at Cequence Security, added: "I think this highlights a theme we've seen many times before - when products hit hypergrowth adoption (especially during COVID), 'secure by default' often gets sacrificed for speed. Cursor is going through the same rapid iteration cycles we saw with other tools back then, and unfortunately, it means repeating mistakes that more mature companies have already learned from."
Read more on software supply chain security: GhostAction Supply Chain Attack Compromises 3000+ Secrets
The potential consequences are significant. Malicious repositories could be used to:
Renfrow noted that with Workspace Trust disabled by default in Cursor, "this vulnerability effectively turns a simple 'open folder' action into a potential full compromise of a developer's machine."
He warned that developer laptops often contain cloud API keys, SaaS sessions and CI/CD credentials that attackers can exploit.
Barr also emphasized the growing focus on Cursor.
"What stands out here is that Cursor has already been a target - CurXecute and MCPoison were both identified this year (2025), along with at least two other Cursor-related vulnerabilities in the same timeframe," he said.
"Add in malicious npm packages that specifically targeted Cursor's macOS users, and it's clear this editor is firmly in the sights of bad actors."
Trey Ford, chief strategy and trust officer at Bugcrowd, called the flaw "an old-world vulnerability pattern that reminds me of the autorun.inf needing to be blocked when inserting a CD-ROM, DVD or removable drive from twenty-plus years ago."
He added that Cursor is now being compared to Microsoft's Visual Studio.
"This is a cause for a high-five and a reckoning to further harden and expand enterprise security capabilities," Ford added.
The report underscores a broader problem: developer tools are now part of the attack surface.
"This finding is a reminder that development tools are part of the attack surface and require the same level of hardening as production infrastructure," Renfrow concluded.