Cursor, a leading ‘vibe coding’ platform, turns natural language prompts into working code–offering speed and power while raising new enterprise security considerations. A successful exploit will allow attackers to access sensitive data within developer environments, including API keys, cloud credentials, and SaaS sessions.
Autorun RCE allows organization-wide compromise
The flaw exists because Cursor ships with Workspace Trust turned off by default, allowing tasks to run automatically without explicit user approval. This allows attackers to inject into public repositories a crafted “.vscode/tasks.json” file, which can be set to autorun tasks the moment a folder is opened — no prompt, no warning. This execution pathway can allow a malicious repository to compromise a developer’s machine through something as ordinary as browsing into a project.
“Opening a crafted workspace can execute commands under the current user’s privileges, inheriting file-system, network, and credential access,” Oasis researchers said in the disclosure. “Readable environment variables and locally stored secrets (tokens, API, config files) can be harvested, creating a direct path to unauthorized access with an organization-wide blast radius.”
