A new vulnerability in VSCode-based editors like Cursor allows malicious tasks.json files to silently execute code when a folder is opened, potentially reprogramming AI agents and spreading threats across all of a developer's repositories.
The discovery of a VSCode vulnerability that executes malicious code simply by opening a folder containing a malicious tasks.json file has revealed a concerning new attack vector for AI-assisted development environments. This exploit, first reported by Oasis, demonstrates how the integration of generative AI tools into development workflows creates novel security risks that extend beyond traditional code vulnerabilities.
The core issue lies in how AI code editors like Cursor handle project-level configurations. These editors use plain-text prompts stored in .cursor/rules directories to fine-tune agent behavior. These prompts can define everything from coding style preferences to language requirements, fundamentally shaping how the AI assistant interacts with the codebase. The vulnerability allows an attacker to inject malicious prompts into these rule files, effectively reprogramming the developer's AI agents without their knowledge.
The attack mechanism is particularly insidious because it leverages the editor's own functionality against itself. The malicious tasks.json file uses the runOn: "folderOpen" option to trigger execution whenever the folder is opened, combined with reveal: "never" to hide any indication that code is running. The payload itself is a shell command that searches for nearby .cursor directories and injects malicious rule files into each one. These rule files can then force the AI agent to behave in harmful ways—such as exfiltrating sensitive information, introducing subtle bugs, or even changing the language of all generated code.
What makes this vulnerability particularly dangerous is its potential for distributed persistence. Unlike traditional malware that targets individual machines, this exploit can propagate through shared code repositories. When a developer clones a compromised repository, the malicious tasks.json file executes automatically, injecting the same malicious prompts into all their other projects. This creates a chain reaction where the threat spreads through development teams and organizations, affecting every developer who interacts with the compromised code.
The technical implementation demonstrates sophisticated evasion techniques. The exploit uses Base64 encoding to obfuscate the payload, and can hide its presence by adding exclusion rules to .vscode/settings.json, making the .cursor and .vscode directories invisible in the file explorer. This means the developer sees a completely normal-looking repository while the malicious code has already executed and modified their AI agent's behavior.
The implications extend far beyond simple code manipulation. AI agents often have access to sensitive information—API keys, database credentials, and security certificates—because they need this context to provide meaningful assistance. A compromised agent could systematically exfiltrate this data, creating a persistent security breach. The threat is amplified by the fact that AI-generated code is often trusted implicitly, making subtle sabotage difficult to detect.
This vulnerability highlights a fundamental tension in AI-assisted development: the convenience of automated code generation versus the security risks of delegating control to intelligent systems. As developers increasingly rely on AI tools for complex tasks, the attack surface expands to include not just the code itself, but the instructions that guide the AI's behavior.
The exploit's demonstration by the researcher shows how a seemingly harmless folder can become a weapon. The repository appears completely normal after exploitation, with no visible signs of compromise. This stealth characteristic makes traditional security scanning ineffective, as the malicious code executes within the trusted environment of the developer's own tools.
For development teams, this represents a new category of supply chain attack. Unlike traditional dependency poisoning, which targets package managers, this exploit targets the very configuration files that modern development workflows depend on. The spread mechanism through shared repositories means that a single compromised project can affect an entire organization's development infrastructure.
The vulnerability was initially reported by Oasis and Tagged Programming, bringing attention to this emerging class of AI-specific security threats. As AI code editors become more sophisticated and widely adopted, understanding these new attack vectors becomes crucial for maintaining secure development practices.
Developers using Cursor or similar AI-assisted editors should exercise caution when opening unfamiliar repositories. The exploit demonstrates that even seemingly innocent configuration files can harbor sophisticated attacks. Organizations should consider implementing additional verification steps for repository configurations and monitor for unexpected changes to AI agent behavior.
This vulnerability also raises questions about the security model of AI development tools. Current security practices focus on code execution and dependency management, but the rise of prompt-based AI configuration creates a new layer that requires its own security considerations. Future development tools may need to implement more robust sandboxing and verification mechanisms for AI agent instructions.
The exploit's existence serves as a reminder that as development tools evolve, so do the threats against them. The integration of AI into development workflows brings powerful capabilities but also introduces new vulnerabilities that traditional security approaches may not adequately address. Understanding these risks is the first step toward building more secure AI-assisted development environments.
GitHub - ike/cursor-task-hijack contains the complete proof of concept demonstrating this vulnerability in detail.
Comments
Please log in or register to join the discussion