Exploit by design
2026-07-15 22:43:24.943096+02 by Dan Lyke 0 comments
JFC. Mindgard: Cursor 0day: When Full Disclosure Becomes the Only Protection Left
This isn't even a prompt injection attack. Open a repo in Cursor that contains a "git.exe" file, Cursor runs it.
This disclosure goes beyond a single executable named git.exe to the place of trust in software. AI companies routinely ask users to grant unprecedented levels of access to code, repositories, terminals, secrets, and workflows that increasingly blur the line between suggestion and action.
The industry narrative is that these systems deserve trust because they increase productivity, but history has taught us time and again that trust should not be granted because something is useful. It should be earned through behavior. That behavior is reflected in how a company responds to security reports, communicates with affected users, and prioritizes remediation.
Via lobste.rs, which both raises the possibility that this might be an intentional backdoor given how long it's gone unpatched, and also has some speculation about LLM attitudes and philosophies around command vs data channels, and the unwillingness (or inability to conceptualize) separating the two.