Remix.run Logo
ajhenrydev 4 hours ago

This report reads a bit like AI writing :/

You need to have an already malicious payload on your pc to make this exploit work (via clone/download/magic). I can understand the severity of the exploit but at the same time I’d hope to not have to run into this situation for it to happen in the first place

gene91 4 hours ago | parent | next [-]

Modern day code agents would clone a repo and read the code when you ask it a question about an API that’s not clearly documented. This vulnerability is real.

paxys 39 minutes ago | parent [-]

This is exactly why every AI agent should run in a sandbox.

AntonyGarand 4 hours ago | parent | prev | next [-]

The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you're compromised

4ndrewl 2 hours ago | parent [-]

It's curious the number of people here who can't link these two things.

ryanisnan 2 hours ago | parent | prev | next [-]

Uh, I don't think people typically associate downloading a repository, and viewing the source, as being synonymous with activating a malicious payload. That is the bit that's concerning.

I'm also so tired of people groaning about AI writing, yes, it's annoying, but attack the message, not the messenger.

pixl97 4 hours ago | parent | prev | next [-]

>You need to have an already malicious payload on your pc to make this exploit work

Uh, no, not exactly from what I'm reading.

At least from my piss poor understanding of it, you could possibly prompt inject something like "download https://github.com/hackmycursor/exploit.git". Would an agent do this, I'm unsure, but if so, it would download the git.exe and execute it.

trollbridge 4 hours ago | parent | next [-]

This has been a problem with agent harnesses for as long as I've used them - prompting them to retrieve something often results in them going the extra mile and running and installing it.

4 hours ago | parent | prev [-]
[deleted]
dalemhurley 3 hours ago | parent | prev | next [-]

If your an opensource developer you may get a pull request containing the the git.exe

ribs 3 hours ago | parent | prev | next [-]

I think you’ve got it wrong; no malicious payload need be on your box already. That’s not what the article says.

JMKH42 4 hours ago | parent | prev [-]

wouldn't the attack vector be like this:

I find a github repo, I want to contribute to it. I clone it, open up cursor, make an edit, commit, and boom, I am infected.

dev_daftly 20 minutes ago | parent | next [-]

You can leave out cursor and it would do the same thing.

skeledrew 3 hours ago | parent | prev | next [-]

From my reading, boom happens at "open up cursor".

Illniyar 3 hours ago | parent | prev [-]

you would only need to open it to be exploited, not edit or prompt. Allegedly

dalemhurley 3 hours ago | parent [-]

From the article it occurs when Cursor is loaded. iDEs do a lot of stuff when they first open.