Popular AI Coding Tool Cursor Runs Malicious Files Automatically, Researcher Warns

A security firm reported the flaw seven months ago. Cursor has yet to patch it.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge 16:9 photoreal news-editorial image of a dimly lit server rack with green and amber LEDs reflecting off glossy black metal, faint binary
Share

Key points

  • Offensive security firm Mindgard disclosed a vulnerability in the Cursor AI coding tool on 15 December 2024 and received no patch or acknowledgement for seven months.
  • The flaw causes Cursor to automatically run any file named "git.exe" placed in the root folder of a code project, with no warning to the developer.
  • A criminal could publish a poisoned code project online and trigger the attack the moment a developer opens it in Cursor.
  • On 13 July 2025, a Cursor spokesperson told Dark Reading the company is "addressing this" but gave no timeline.
  • Until a fix arrives, Mindgard advises developers to open untrusted projects only inside an isolated virtual machine, meaning a sealed-off computer environment that runs inside your real computer.

Cursor is an AI-powered coding tool used by software developers to write and manage code faster. When you open a project in Cursor, the program quietly looks for Git, a standard piece of software that helps developers track changes to their work. It checks several folders for Git, and one of those folders is the project itself.

That is the problem.

If someone places a malicious file named "git.exe" in the top-level folder of a code project, Cursor finds it, treats it as legitimate, and runs it automatically. No pop-up. No warning. No permission prompt.

How easy is this to exploit?

Very easy, according to Mindgard. To prove the point, the firm's researchers took a completely ordinary program, the Windows Calculator app, renamed it "git.exe", dropped it into a code project folder, and opened that project in Cursor. The Calculator launched by itself, with nothing else required.

Now replace the Calculator with ransomware, which is malicious software that locks a victim's files until a payment is made, or a remote access Trojan, which is software that hands a criminal quiet, ongoing control of a machine. The effect is the same: the file runs the instant a developer opens the project.

Aaron Portnoy, chief product officer at Mindgard, put it plainly. "If you take a remote access Trojan, a ransomware binary, or whatever you want to execute and just call it git.exe, it runs unrestricted on the developer's machine as soon as they open the repo," he said. He added that fixing the flaw would take him roughly five minutes if he had access to the code.

The attack is especially dangerous because developers regularly pull down, meaning download and open, code projects shared publicly online. A criminal only needs to publish one poisoned repository and wait.

Mindgard reported the vulnerability to Cursor through email, LinkedIn, and HackerOne, a platform where security researchers submit bug reports to software companies. Cursor never accepted the report or confirmed any fix was coming. After seven months with no resolution, Mindgard went public.

For developers on managed Windows systems, Mindgard recommends using AppLocker or Windows App Control, both built-in Windows policy tools, to block "git.exe" from running inside project folders. For everyone else, the firm's advice is straightforward: open any project you did not build yourself inside an isolated virtual machine until Cursor issues a patch.

© 2026 Threat Vectr