Cursor Deeplinks Enable MCP Server Installation Abuse

Proofpoint Threat Research on January 19, 2026, reports that Cursor’s cursor:// Model Context Protocol (MCP) deeplink mechanism can be abused (CursorJack) to install malicious MCP servers or execute arbitrary commands when a user clicks a deeplink and accepts the installation prompt. In tests a single click plus user approval executed attacker commands (including a Meterpreter stager), potentially enabling credential theft and lateral movement; defenders should enforce EDR, URL-handler policies, and strict install verification.
Key Points
- 1Demonstrates cursor:// deeplinks can install MCP servers or execute arbitrary commands after user approval
- 2Highlights risk to developer workstations containing credentials, API keys, source code, and privileged access
- 3Advises enforcing EDR, URL‑handler policies, user prompts review, and restrict MCP installation sources
Scoring Rationale
High technical credibility and actionable PoC, limited to Cursor-specific deeplink configurations and user-approval context.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

