CursorJack Attack Path Exploits MCP Deeplinks in Cursor IDE for Code Execution
Proofpoint researchers have identified the CursorJack attack path, which abuses Model Context Protocol deeplinks in the Cursor IDE to enable code execution through social engineering.
Proofpoint Threat Research has uncovered a novel attack path targeting the Cursor Integrated Development Environment (IDE), a popular AI-assisted coding platform. Dubbed CursorJack, the technique abuses the Model Context Protocol (MCP) deeplink mechanism to potentially install malicious components or execute arbitrary commands on a developer's machine. The findings, based on controlled testing as of January 19, 2026, highlight a growing security concern in AI development environments.
Cursor uses a custom URL scheme to streamline MCP server installation, embedding configuration data directly into deeplinks that launch the IDE when clicked. Proofpoint discovered that this process can be exploited through social engineering: attackers can craft malicious links that appear legitimate while containing harmful configurations. When users click these links and approve the installation prompt, the IDE may execute commands with the same privileges as the user. Because the installation dialogue does not differentiate between trusted and untrusted sources, attackers can disguise their payloads as routine tools.
The exploitation is not automatic; it depends on user interaction and system configuration. A single click on a crafted link, followed by approval of an installation prompt, may be sufficient to trigger the behavior in some environments. This creates a pathway for both local code execution and the installation of remote malicious servers, depending on the configuration. Proofpoint published its own proof-of-concept code on GitHub to demonstrate the risk.
The research highlights significant risks for developers, who often operate with elevated permissions and access sensitive assets such as API keys, credentials, and source code. While no zero-click exploitation was observed, the reliance on user approval introduces a human factor that attackers may exploit. The study also noted that modern development workflows, particularly those involving AI tools, may condition users to accept prompts without thorough review, increasing exposure to deceptive installation requests that appear routine.
Proofpoint recommends several mitigation strategies: introduce verification mechanisms for trusted MCP sources, implement stricter permission controls for command execution, improve visibility into installation parameters, and treat deeplinks from unknown origins with caution. The researchers emphasized that 'the MCP ecosystem requires fundamental security improvements embedded directly into the framework architecture, rather than relying on additional security tools or user vigilance as the primary defense.'
The researchers notified Cursor through its vulnerability-reporting channel. This discovery comes amid a broader trend of security researchers probing AI development tools for weaknesses. Earlier this year, the ContextCrush flaw exposed similar risks in AI development environments, and the rise of autonomous agents and AI coding tools has been described as a 'perfect storm' for security teams. As AI-assisted development becomes more prevalent, the security of the underlying tools and protocols will be critical to protecting the software supply chain.