| ▲ | ajhenrydev 4 hours ago | ||||||||||||||||||||||||||||
This report reads a bit like AI writing :/ You need to have an already malicious payload on your pc to make this exploit work (via clone/download/magic). I can understand the severity of the exploit but at the same time I’d hope to not have to run into this situation for it to happen in the first place | |||||||||||||||||||||||||||||
| ▲ | gene91 4 hours ago | parent | next [-] | ||||||||||||||||||||||||||||
Modern day code agents would clone a repo and read the code when you ask it a question about an API that’s not clearly documented. This vulnerability is real. | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▲ | AntonyGarand 4 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||
The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you're compromised | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▲ | ryanisnan 2 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||
Uh, I don't think people typically associate downloading a repository, and viewing the source, as being synonymous with activating a malicious payload. That is the bit that's concerning. I'm also so tired of people groaning about AI writing, yes, it's annoying, but attack the message, not the messenger. | |||||||||||||||||||||||||||||
| ▲ | pixl97 4 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||
>You need to have an already malicious payload on your pc to make this exploit work Uh, no, not exactly from what I'm reading. At least from my piss poor understanding of it, you could possibly prompt inject something like "download https://github.com/hackmycursor/exploit.git". Would an agent do this, I'm unsure, but if so, it would download the git.exe and execute it. | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▲ | dalemhurley 3 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||
If your an opensource developer you may get a pull request containing the the git.exe | |||||||||||||||||||||||||||||
| ▲ | ribs 3 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||
I think you’ve got it wrong; no malicious payload need be on your box already. That’s not what the article says. | |||||||||||||||||||||||||||||
| ▲ | JMKH42 4 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||
wouldn't the attack vector be like this: I find a github repo, I want to contribute to it. I clone it, open up cursor, make an edit, commit, and boom, I am infected. | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||