CursorJack: Weaponizing Deeplinks to Exploit Cursor IDE
Summary:
On January 19, 2026, Proofpoint Threat Research observed a risk pattern in a controlled test environment dubbed "CursorJack" that affects the Cursor IDE. CursorJack involves the weaponization of Model Context Protocol (MCP) deeplinks to potentially achieve arbitrary local code execution or install a malicious remote MCP server. By leveraging social engineering tactics, attackers can deceive users into clicking a malicious cursor[:]// link. Once the user accepts the default installation prompt, the payload executes with the same privileges as the user. Because developers are high-value targets, compromised workstations can lead to the theft of SSH keys, API tokens, source code, and other sensitive credentials. There is currently no visual distinction between a legitimate MCP install link and a malicious one in the default user interface, making this a critical vector for agentic AI environments.
Security Officer Comments:
Cursor IDE implements MCP deeplinks to provide a quick installation mechanism for MCP servers. The standard deeplink structure is "cursor[:]//anysphere[.]cursor-deeplink/mcp/install?name=[name]&config"=[base64]. When Cursor is installed, it registers the cursor:// protocol handler with the operating system. Clicking a link launches the application and passes the URL to the executable, where the MCP server configuration is base64-encoded within the link. The core exploit relies on the configuration format of mcp[.]json, specifically abusing two distinct keys to achieve compromise. Attackers can set arbitrary names within the deeplink (e.g., "Azure DevOps") to trick users into believing the MCP server originates from a trusted vendor. Adversaries use familiar developer binaries like npx or uvx to pull malicious code, making the execution appear as a routine package installation. Threat actors can use encoding techniques or excessively long command strings to push malicious arguments outside of the user's view in the installation preview dialog (a tactic previously associated with CVE-2025-54133). Payloads can be fully embedded within the base64 string (static and self-contained) or staged remotely (requires C2 availability but leaves fewer local artifacts).
Command Key: Abuses the command configuration (e.g., npx, uvx, docker) to execute arbitrary host commands.
URL Key: Defines a URL pointing to a remote MCP server instead of local binaries.
Attack Chain and Execution Flow
The Proofpoint PoC demonstrated the following attack sequence:
Actionable Suggested Correctionss
https://www.proofpoint.com/us/blog/threat-insight/cursorjack-weaponizing-deeplinks-exploit-cursor-ide
On January 19, 2026, Proofpoint Threat Research observed a risk pattern in a controlled test environment dubbed "CursorJack" that affects the Cursor IDE. CursorJack involves the weaponization of Model Context Protocol (MCP) deeplinks to potentially achieve arbitrary local code execution or install a malicious remote MCP server. By leveraging social engineering tactics, attackers can deceive users into clicking a malicious cursor[:]// link. Once the user accepts the default installation prompt, the payload executes with the same privileges as the user. Because developers are high-value targets, compromised workstations can lead to the theft of SSH keys, API tokens, source code, and other sensitive credentials. There is currently no visual distinction between a legitimate MCP install link and a malicious one in the default user interface, making this a critical vector for agentic AI environments.
Security Officer Comments:
Cursor IDE implements MCP deeplinks to provide a quick installation mechanism for MCP servers. The standard deeplink structure is "cursor[:]//anysphere[.]cursor-deeplink/mcp/install?name=[name]&config"=[base64]. When Cursor is installed, it registers the cursor:// protocol handler with the operating system. Clicking a link launches the application and passes the URL to the executable, where the MCP server configuration is base64-encoded within the link. The core exploit relies on the configuration format of mcp[.]json, specifically abusing two distinct keys to achieve compromise. Attackers can set arbitrary names within the deeplink (e.g., "Azure DevOps") to trick users into believing the MCP server originates from a trusted vendor. Adversaries use familiar developer binaries like npx or uvx to pull malicious code, making the execution appear as a routine package installation. Threat actors can use encoding techniques or excessively long command strings to push malicious arguments outside of the user's view in the installation preview dialog (a tactic previously associated with CVE-2025-54133). Payloads can be fully embedded within the base64 string (static and self-contained) or staged remotely (requires C2 availability but leaves fewer local artifacts).
Command Key: Abuses the command configuration (e.g., npx, uvx, docker) to execute arbitrary host commands.
URL Key: Defines a URL pointing to a remote MCP server instead of local binaries.
Attack Chain and Execution Flow
The Proofpoint PoC demonstrated the following attack sequence:
- The user clicks a malicious Cursor deeplink from a spoofed or untrusted source (e.g., delivered via phishing emails, chat applications, or PDF documents).
- The web browser prompts the user to open the Cursor IDE.
- Cursor presents an installation dialogue displaying the MCP server name and parameters.
- The user clicks "Install" to approve the integration.
- The IDE adds the new MCP configuration to the local ~/[.]cursor/mcp[.]json file.
- Cursor executes the configured command based on local security controls and permissions.
Actionable Suggested Correctionss
- Implement strict allow-listing and content inspection for outbound connections to detect and block staged payloads attempting to reach C2 infrastructure.
- Monitor endpoint activity for unexpected modifications to the ~/[.]cursor/mcp[.]json file.
- Inspect deeplinks and command executions for anomalous or heavily obfuscated arguments stemming from the Cursor application.
- Deploy containerization or granular permission models to isolate the IDE and the command parameter execution from the host operating system.
- Treat all internet-sourced deeplinks with the same caution as untrusted executables or macro-enabled documents.
- Conduct security training for developers that highlights the risks of AI coding assistants, specifically conditioning them not to blindly approve AI or IDE installation prompts.
- Ensure developer environments operate under the principle of least privilege to limit the blast radius if an IDE is compromised.
- Advocate for a trusted MCP ecosystem that requires code signing and verified publishers for MCP servers, allowing users to verify the source and integrity before installation.
https://www.proofpoint.com/us/blog/threat-insight/cursorjack-weaponizing-deeplinks-exploit-cursor-ide