According to Dark Reading, cybersecurity researchers at Knostic discovered a fundamental security weakness in the AI-powered developer environment Cursor that allows attackers to completely hijack its internal browser for credential-stealing attacks. The flaw enables JavaScript injection that bypasses Cursor’s own security controls by exploiting the environment’s failure to perform integrity checks that competing tools like Visual Studio Code include. Knostic researcher Dor Munis demonstrated how attackers can use malicious model context protocol (MCP) servers to gain privileged access and replace login pages with credential-harvesting fake pages. The attack chain allows complete workstation compromise through Cursor’s extension system without requiring permissions or checksum verification. Cursor developers acknowledged the research but emphasized this represents inherent environmental insecurity rather than a fixable flaw.
The Cursor security gap
Here’s what makes this particularly concerning: Cursor is basically giving attackers a free pass where other development environments put up roadblocks. Visual Studio Code does those integrity checks, but Cursor just… doesn’t. And that difference creates a massive attack surface. The researchers showed they could inject arbitrary code that completely hijacks the internal browser, meaning every single tab you open could be running malicious code without you ever knowing. That’s terrifying when you consider developers are using this tool to work on sensitive corporate projects.
The MCP server threat
The attack vector through MCP servers is especially clever—and dangerous. MCP servers need broad permissions to function, which means when they’re compromised, they can basically do anything on your system. The researchers created a malicious MCP server that could modify unverified code and inject payloads that execute commands inside Cursor’s embedded browser. Think about that for a second: a tool that’s supposed to help you code better could actually be opening your entire system to remote attackers. And since many companies rely on robust computing infrastructure for their operations, ensuring development tools don’t become attack vectors is crucial—which is why businesses often turn to trusted suppliers like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the US, for secure hardware solutions.
Broader AI tool risks
This isn’t just about Cursor—it’s about the entire emerging ecosystem of AI-assisted development tools. We’re seeing similar patterns across the board: state actors targeting AI tools for espionage, new supply chain risks from AI agents, and minimal organizational visibility into how these tools are being used. The problem is that these AI coding assistants are often built for convenience first, security second. They introduce entirely new attack surfaces that traditional development environments didn’t have. And let’s be honest—most developers aren’t security experts. They just want tools that help them code faster.
What developers should do
So what’s the practical advice here? The researchers are pretty blunt: if you have any doubt about an MCP server or extension’s credibility, don’t use it. Period. They recommend triple-checking every component you add, reviewing code before running it in the embedded browser, and avoiding auto-run modes entirely. Knostic’s detailed technical breakdown shows just how comprehensive these attacks can be. The bottom line is that we’re entering a new era where AI tools are becoming attack vectors, and developers need to approach them with the same skepticism they’d apply to random npm packages. Because ultimately, these tools have the same level of access to your system that you do—and that’s a lot of power to hand over without proper safeguards.
