Two Clicks to Own a Developer's Machine: The Cursor AI Flaw You Should Know About

Researchers found they could smuggle a malicious installation command into the most popular AI code editor by hiding it inside what looked like a routine code-review link.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial shot of a modern developer workstation at dusk, two large monitors glowing with abstract code editor windows, a small permission
Share

Key points

  • Researchers at Adversa AI disclosed two vulnerabilities in Cursor AI on 15 July 2025, affecting a tool used by more than 50,000 companies worldwide.
  • The attack chain requires just two clicks from the victim and can install a malicious MCP server (a privileged software component that connects AI tools to a computer's files and commands) without the developer realising.
  • Cursor AI confirmed the bugs were mishandled by a third-party security vendor and said it has since reopened the investigation.
  • A separate Cursor flaw involving hidden malware inside a fake Git file was disclosed by Mindgard on 14 July 2025.
  • No patch has been publicly confirmed as of publication.

Cursor AI is the fastest-growing code editor built around artificial intelligence, used inside 64 percent of Fortune 500 companies according to the product's own website. On 15 July 2025, a security research firm called Adversa AI published findings, shared first with Dark Reading, showing that anyone who can send a link to a Cursor user can, in two clicks, install malicious software on that person's work computer.

The attack uses something called an MCP server. MCP stands for Model Context Protocol, a technical standard that lets AI assistants reach outside their sandboxed environment and talk to real systems: read files, call web services, run commands. MCP servers are powerful by design. In Cursor, when a user installs one, it runs with the same permissions as the developer who clicked the button. That is a lot of trust.

How did the hackers get in?

They did not break in through a back door. They knocked on the front door and made it look like a parcel delivery.

The researchers created a disguised link. Using a technique called double URL encoding, where characters in a web address are swapped for code that browsers quietly translate back, they turned a command that says "install this MCP server" into text that looks like a normal pull request link. A pull request is a message developers send each other saying "I made a change to the code, please review it." Developers click these constantly.

Click the disguised link and Cursor pops up a small box asking: "Install MCP server?" It shows the server name and a preview of its commands. Here is the second flaw. The preview window is too small to show the full command. A malicious instruction dozens of characters long appears innocent in the first visible line; the dangerous part sits hidden below the visible area. The developer clicks confirm. The malicious server installs. It can now read source code, steal passwords stored in the project, or reach further into the developer's employer's network.

Lead researcher Rony Utevsky compared this to a class of flaws called argument injection, where hidden commands piggyback on trusted ones. He noted that a similar flaw in Anthropic's Claude Code was found and patched in May 2025. Cursor has not yet patched either issue.

Cursor told Dark Reading a third-party security vendor had wrongly closed the bug report. The company says it has now reopened it and is investigating.

What affected developers and their employers should do right now:

  • Treat any unsolicited link that triggers an MCP installation prompt inside Cursor as suspicious, even if it appears to come from a colleague.
  • Scroll the full contents of any installation confirmation box before clicking approve. If you cannot see the complete command, do not proceed.
  • Ask your IT or security team to allowlist only pre-approved MCP servers and block unknown ones at the network level.
  • Report unexpected Cursor pop-ups to your security team before dismissing or approving them.
© 2026 Threat Vectr