The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you're compromised
It's curious the number of people here who can't link these two things.