In a recent cybersecurity revelation, a flaw in Cursor AI has been identified, posing significant risks to developer systems. This vulnerability, discovered by the security firm Straiker, could have enabled attackers to commandeer developer devices through malicious repositories.
Understanding the NomShub Attack Chain
Known as NomShub, this attack technique capitalizes on an indirect prompt injection in coding agents and circumvents command sandbox restrictions. This allows the attacker to write code directly onto the user’s machine and exploit Cursor’s remote tunnel feature to obtain shell access.
Notably, executing such an attack requires minimal user interaction, as simply opening a malicious repository in Cursor is enough to trigger the exploit. Straiker highlights that this vulnerability is particularly concerning due to its ability to grant an attacker comprehensive file system access and command execution privileges on macOS systems.
Challenges in Detecting the Threat
Detecting this attack at a network level presents significant challenges. The traffic associated with the exploit traverses Microsoft Azure infrastructure, making network-based detection nearly impossible. Straiker explains that Cursor’s inadequate protections against shell commands executed by agents left this vulnerability unguarded.
Because the macOS seatbelt sandbox permits writes to the home directory, attackers can employ shell builtins to escape the sandbox, allowing them to overwrite critical files such as the .zshenv. This file is executed by every new Zsh shell instance, exacerbating the risk of exploitation across various applications and scripts.
Exploiting Cursor’s Tunnel Feature
Attackers can manipulate the README.md file in a repository to inject malicious prompts, which Cursor follows when the file is accessed. This includes executing the sandbox escape and launching a script to exploit the tunnel feature. The attacker can then generate a device code and send it to their server to establish a GitHub session through the tunnel.
As Straiker notes, once the attacker’s GitHub account is authorized, they gain persistent access to the victim’s system via the tunnel. This access remains active as long as the session persists and the tunnel registration is not removed.
Response and Future Implications
The vulnerability was initially discovered in January and promptly reported to Cursor in February. A patch addressing the issue was released with Cursor version 3.0. This incident underscores the critical need for robust cybersecurity measures in AI applications, as well as the importance of ongoing vigilance in monitoring and addressing potential threats.
As AI systems continue to integrate into various technological frameworks, ensuring their security becomes paramount. Future developments must focus on enhancing protective measures and governance to prevent similar exploits.
