A newly deteced vuln in AI code editor Cursor could let bad repos run commands as soon you open them—no clicks needed.#brain==>addtogroup http://bit.ly/tinysourceFAILS #goodhuman
The problem lies in autorun tasks and a protective setting that is off by default, providing an easy route to code execution, data theft, and supply chain compromise. The remedy is simple, but forceful action is necessary.
What researchers found
Those hosting a. vscode/tasks. json file can specify tasks that run on folder open. Several of those tasks can even trigger the moment you open a project—before you’ve read any code—if Cursor’s Workspace Trust is off. A booby-trapped repo could, in theory, exfiltrate credentials, poison source code and add persistence with no user interaction in a practical context.
Workspace Trust is meant to gate risky behaviors (such as executing tasks, running scripts or installing certain extensions) until your user has explicitly tagged a project as trusted. Trust is not a novelty in regular Visual Studio Code. Cursor, by contrast, emphasizes automation and has come with trust disabled out of the box, according to Oasis. That UX feature does make getting started with coding easier, but it also dials down the guard rails that prevent autorun attacks.
Why it matters to developers
Malicious tasks are a powerful supply chain vector. The attackers can include a seemingly innocent. directory to an otherwise valuable repo. When a task with runOn: folderOpen is opened, it can execute arbitrary shell commands to pilfer SSH keys, cloud tokens, or package manager credentials; modify build scripts; or inject backdoors into compiled artifacts.
It’s not some theoretical edge case. That the hacks ranged beyond a single company reflects what has become key feature of cybersecurity attacks known as blast radius: The scope of damage caused by an attack often extends well beyond the original target. CISA and the Open Source Security Foundation have both warned in recent weeks that developer environments are now a top target for attackers since they straddle source code, secrets and production infrastructure.
How to fix in Cursor.ignore
The quickest to act on is enabling Workspace Trust and making a startup prompt for every new project. In Cursor’s Settings (JSON view), input the following and reopen the editor: “security. workspace. trust. enabled”: true and “security. workspace. trust. startupPrompt”: “always”. This makes sure untrusted folders can’t run tasks, enable dangerous extensions, or execute code without your go-ahead.
Also review your tasks policy. If you’re not pulling from autorun behavior, just disable it outright by typing “tasks” into Search and turning off automatic task execution. In tasks. json, be aware of any task running `runOn`: “folderOpen” or calls to network utilities (curl, wget, Invoke-WebRequest) from the shell, script pipelines or actions that change permissions (chmod), and Git hooks.
Cursor has said it will release updated security guidance on trust. In the meantime, consider any internet-sourced repository — including forks and local examples — to be untrusted by default.
Operational checks developers can do
Before you trust a workspace, check it with. vscode/tasks. json for any tasks that: trigger on folder open, runshell commands, pull in remote scripts, write to HOME and or ~/. ssh, env files and alternatively update build pipeline. If something looks like “runOn”: “folderOpen” combined with script execution, take the risk and check line by line.
If you have ever opened untrusted repos with trust off, a forensics-lite flyby:
scan the shell history for unexpected commands
examine ~/. ssh, cloud CLI dirs, npm/pip registries, and OS keychains for new/modified tokens; check git hooks for illicit scripts; review outbound network logs to see odd destinations when the repo was first opened. When in doubt, cycle credentials for services that are impacted.
Team hardening and policy tips
Configure organization-wide defaults – enforce Workspace Trust using Settings sync or managed configuration profiles. Mandate that developers open third-party repos in sandboxes — containers, VMs or ephemeral cloud workspaces — before pulling them onto laptops. Add pre-commit or CI checks that warn about. vscode/tasks. json with autorun triggers.
Adopt the “trust on first open” habit: if you have to trust a project, detail why, and check this decision into the repo’s SECURITY. md Pair this with revolving least-privilege tokens for local builds and segregating secrets from development machines to the best of your ability, as per CISA’s Secure by Design guidance.
Bottom line
Cursor Automation here is a productivity enhancer, but it’s also a trades club to the nuts if Worktrust is off. A single malicious tasks. It’s amazing to see how a casual repo opening can be turned into a silent tool compromise by json. Turn on trust prompts, disable autorun tasks you don’t need and assume unknown code is hostile until proven otherwise. The repair is minutes; the consequence of a supply chain breach can be months long.