{"id":92919,"date":"2026-01-08T09:58:18","date_gmt":"2026-01-08T06:58:18","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=92919"},"modified":"2026-01-08T10:00:23","modified_gmt":"2026-01-08T07:00:23","slug":"vulnerability-in-cursor-ai-editor-allows-pc-takeover","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/vulnerability-in-cursor-ai-editor-allows-pc-takeover\/","title":{"rendered":"Vulnerability in Cursor AI Editor Allows PC Takeover"},"content":{"rendered":"<p>Opening a project folder in certain code editors can lead to the covert execution of malicious commands. According to SlowMist, users of Cursor AI are particularly vulnerable to this flaw.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">\ud83d\udea8SlowMist TI Alert\ud83d\udea8<\/p>\n<p>If you\u2019re doing Vibe Coding or using mainstream IDEs, be cautious when opening any project or workspace. For example, simply using \u201cOpen Folder\u201d on a project may trigger system command execution \u2014 on both Windows and macOS.<\/p>\n<p>\u26a0\ufe0f Cursor users: especially at\u2026 <a href=\"https:\/\/t.co\/9pNgqKoZKm\">pic.twitter.com\/9pNgqKoZKm<\/a><\/p>\n<p>\u2014 SlowMist (@SlowMist_Team) <a href=\"https:\/\/twitter.com\/SlowMist_Team\/status\/2009079558633648549?ref_src=twsrc%5Etfw\">January 8, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The vulnerability affects popular development environments and tools for Vibe Coding, where programming is delegated to large language models.<\/p>\n<p>The attack mechanism involves creating a project with a specific structure. If a developer opens such a folder using the standard Open Folder function, a malicious command is automatically executed on their device. The threat is relevant for both Windows and macOS.<\/p>\n<p>According to experts, several users of the Cursor AI editor have already fallen victim to the campaign. The exact damage is unknown. <\/p>\n<p>The founder of SlowMist, known by the pseudonym Cos, has already passed information about the incident to the platform&#8217;s security team.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zh\" dir=\"ltr\">\u7ed9 <a href=\"https:\/\/twitter.com\/cursor_ai?ref_src=twsrc%5Etfw\">@cursor_ai<\/a> \u53d1\u6f0f\u6d1e\u7ec6\u8282 + PoC + \u76f8\u5173\u622a\u56fe\uff0c\u5e0c\u671b\u5c3d\u5feb\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002 <a href=\"https:\/\/t.co\/v5zWCdhVpW\">pic.twitter.com\/v5zWCdhVpW<\/a><\/p>\n<p>\u2014 Cos(\u4f59\u5f26)\ud83d\ude36\u200d\ud83c\udf2b\ufe0f (@evilcos) <a href=\"https:\/\/twitter.com\/evilcos\/status\/2009084026297123074?ref_src=twsrc%5Etfw\">January 8, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>At the time of writing, Cursor has not commented on the vulnerability reports. <\/p>\n<p><a href=\"https:\/\/forklog.com\/en\/news\/what-is-web3\">Web3<\/a> researcher known as DeFi Teddy recommended users employ separate devices for Vibe Coding and cryptocurrency storage. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zh\" dir=\"ltr\">\u57fa\u4e8eslowmist\u8001\u677f <a href=\"https:\/\/twitter.com\/evilcos?ref_src=twsrc%5Etfw\">@evilcos<\/a> \u7684\u63d0\u9192\uff0c\u589e\u52a0\u4e00\u4e9bvibe coding\u7684\u5b89\u5168\u544a\u77e5 <\/p>\n<p>\u2014 cursor\/codex\/claude code\u8fd9\u4e9b\u7a0b\u5e8f\u7684\u6743\u9650\u5f88\u9ad8\uff0c\u57fa\u672c\u53ef\u4ee5\u64cd\u63a7\u4f60\u4e2a\u4eba\u7535\u8111<br \/>\u2014 cursor \u6253\u5f00\u9879\u76ee\u6587\u4ef6\u7684\u65f6\u5019\uff0c\u53ef\u80fd\u4f1a\u81ea\u52a8\u6267\u884c\u4e0b\u9762\u7684\u6587\u4ef6<\/p>\n<p>\u6240\u4ee5\u91cd\u8981\u7684\u5b89\u5168tips\u67092\u4e2a<\/p>\n<p>\u2014 \u5b89\u88c5vibe coding \u7684\u7535\u8111\u9700\u8981\u548cweb3\u7535\u8111\u5206\u5f00<br \/>-\u2026 <a href=\"https:\/\/t.co\/pXq6Bhs4QG\">https:\/\/t.co\/pXq6Bhs4QG<\/a><\/p>\n<p>\u2014 DeFi Teddy (@DeFiTeddy2020) <a href=\"https:\/\/twitter.com\/DeFiTeddy2020\/status\/2009113591677644864?ref_src=twsrc%5Etfw\">January 8, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>&#8220;Never open or download projects in Cursor from unverified or suspicious sources (such as random repositories on GitHub) whose security is not confirmed,&#8221; he added. <\/em><\/p>\n<\/blockquote>\n<p>In September, Oasis Security specialists <a href=\"https:\/\/forklog.com\/en\/news\/a-new-crypto-stealing-infostealer-a-10m-fbi-bounty-for-a-ukrainian-hacker-and-other-cybersecurity-news\">discovered<\/a> a similar vulnerability in the program. It allowed malicious code to be embedded, taking control of the workspace and stealing <span data-descr=\"application programming interface\" class=\"old_tooltip\">API<\/span> tokens without any user commands.<\/p>\n<p>Cursor is an <span data-descr=\"integrated development environment\" class=\"old_tooltip\">IDE<\/span> based on Visual Studio Code with built-in AI tools. The project is integrated with popular chatbots like ChatGPT and Claude.<\/p>\n<p>The platform is popular among developers: according to media reports, about a million people use it, generating over a billion lines of code daily. In May, the company behind Cursor, Anysphere, <a href=\"https:\/\/forklog.com\/en\/news\/developer-of-programmer-killer-cursor-secures-900-million-at-9-billion-valuation\">raised<\/a> $900 million at a valuation of $9 billion. <\/p>\n<p>Back in July, the cybersecurity service Tracebit <a href=\"https:\/\/forklog.com\/en\/news\/flaw-in-gemini-interface-allowed-execution-of-malicious-code\">found<\/a> a vulnerability in Google&#8217;s Gemini. It allowed the stealthy execution of malicious commands if a user viewed suspicious code with the help of a neural network.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Opening a project folder in certain code editors can lead to the covert execution of malicious commands, experts at SlowMist warned.<\/p>\n","protected":false},"author":1,"featured_media":92920,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Vulnerability in Cursor AI editor allows covert PC takeover.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[438,1111],"class_list":["post-92919","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-artificial-intelligence","tag-cybersecurity"],"aioseo_notices":[],"amp_enabled":true,"views":"360","promo_type":"1","layout_type":"1","short_excerpt":"Vulnerability in Cursor AI editor allows covert PC takeover.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=92919"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92919\/revisions"}],"predecessor-version":[{"id":92921,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92919\/revisions\/92921"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/92920"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=92919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=92919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=92919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}