Cursor Exploit Reprograms Developers' AI Agents

A proof-of-concept published yesterday demonstrates a VSCode/Cursor tasks.json exploit that runs code when a folder is opened, silently injecting rule files into .cursor/rules. The PoC (published on GitHub by user 'ike' and reported by Oasis) shows attackers can force AI agents to change behavior (for example, respond only in Spanish) and hide files with .vscode settings and .gitignore entries. This enables persistent, distributed manipulation across repositories.