What Happened
Open a repository in Cursor on Windows and, if a file named git.exe is sitting in the project root, Cursor runs it. No click, no approval dialog, no warning that anything in the folder is about to execute. Whatever that binary does, it does as you, with your source, your SSH keys and your cloud tokens. Cursor keeps re-running it for as long as the project stays open. No prompt
Why It Matters
According to the report, a Windows flaw in the Cursor AI IDE causes it to automatically execute a git.exe binary found in the root of any opened repository, with no prompt, click, or warning, leading to arbitrary code execution under the developer’s account.[1][2][8] The behavior is repeatedly triggered as long as the project stays open, exposing source code, SSH keys, and cloud tokens to compromise.[1][2] RealGround analysis: This is an AI supply chain risk where a development tool in the AI ecosystem turns cloned repositories into executable content, meaning poisoned repos become a vehicle for OS-level compromise. Organizations should treat untrusted repositories as hostile inputs, harden developer workstations (e.g., application control, sandboxing), and include IDEs like Cursor in SBOM-driven supply chain reviews and AI security readiness assessments.
RealGround Analysis
This signal maps to AI supply chain. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.
Recommended Actions
- Restrict AI agent tool permissions and production write paths.
- Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
- Add human approval workflows for high-impact or state-changing actions.
- Run prompt injection and indirect prompt injection tests against affected workflows.
- Document the owner, control gap, and remediation deadline for this risk class.
Source
https://thehackernews.com/2026/07/cursor-flaw-lets-malicious-cloned.html
