Industry Newscursorvscodeagentstasks json

Cursor Exploit Reprograms Developers' AI Agents

||By LDS Team
8.1
Relevance Score
Cursor Exploit Reprograms Developers' AI Agents
Photo: cdn.thenewstack.io · rights & takedowns

A proof-of-concept published yesterday demonstrates a VSCode/Cursor tasks.json exploit that runs code when a folder is opened, silently injecting rule files into .cursor/rules. The PoC (published on GitHub by user 'ike' and reported by Oasis) shows attackers can force AI agents to change behavior (for example, respond only in Spanish) and hide files with .vscode settings and .gitignore entries. This enables persistent, distributed manipulation across repositories.

Key Points

  • 1Demonstrates tasks.json exploit that executes on folderOpen, injecting rules into .cursor/rules.
  • 2Shows attackers can silently reprogram local AI agents to change behavior and exfiltrate secrets.
  • 3Alerts developers to persistent distributed threats across repos; requires code reviews and tooling mitigations.

Scoring Rationale

High practical impact with a reproducible PoC, limited by single-source public disclosure and tool-specific scope.

Sources

Public references used for this report.

3 sources

Practice interview problems based on real data

1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems