AI agents and coding copilots are shaking up how — and what — developers code. But they’re also rapidly expanding the attack surface of developer machines
The latest example: Security researchers have shown how a rogue Model Context Protocol (MCP) server can inject malicious code into the built-in browser feature of Cursor, a popular AI-powered code editor.
“We demonstrate how a single malicious MCP server can replace login pages inside Cursor’s internal browser with an attacker-controlled page that harvests credentials and sends them to a remote attacker,” researchers from AI cybersecurity firm Knostic.ai wrote in new research shared with CSO. “We also show how that same capability allows an attacker to fully compromise the victim’s workstation.”
Originally developed by Anthropic to facilitate communication between large language models (LLMs) and external data sources or applications to improve workflow context, MCP has become a key component for developing AI agents that automate tasks by leveraging external tools.
The protocol uses a client-server architecture, in which applications expose functionality to LLMs through an MCP server and AI agents or applications connect to those services through an MCP client. Integrated development environments (IDEs) such as Microsoft’s Visual Studio Code — and those based on it, like Cursor and Windsurf — natively support integration with MCP servers.
To enhance security, most IDE vendors maintain repositories with vetted MCP servers, but IDE users can also deploy custom servers manually. Such servers can be found all over the internet, including GitHub. Earlier this year, researchers found hundreds of MCP servers in public GitHub repositories that had dangerous misconfigurations, including default exposure to untrusted networks and OS command injection paths.
Attacking Cursor and other VS Code-based IDEs
Cursor is essentially a fork of VS Code with code added to turn it into an AI-assisted coding tool, whereas VS Code gets its AI capabilities through extensions. Knostic researcher Dor Munis, who developed the MCP attack against Cursor, told CSO that unlike VS Code, which performs integrity checks of its own files, Cursor does not. As a result, any modification of its own code will not present the user with a warning.
VS Code, and by extension Cursor and other VS Code forks, is built on Electron, a framework used to develop cross-platform applications with Node.js and the Blink browser engine from Chrome. Because of this, these applications employ a JavaScript interpreter. As IDEs, they also have file system access and elevated permissions to perform tasks.
Knostic researchers recently published a proof-of-concept attack against Cursor implemented through a malicious extension that injected malicious JavaScript into the running IDE to execute actions and manipulate its user interface. Malicious extensions have also been found in the VSCode Marketplace and the OpenVSX registry, which Cursor also uses, including a self-propagating worm that harvests credentials from developer machines.
Knostic’s newly unveiled attack is similar in concept, but delivered via a malicious MCP server, it expands the attack surface beyond extensions.
“An MCP server should be treated exactly like VS Code extensions in terms of security,” Munis said. That’s because MCP servers are essentially downloaded to run on your computer, and inherit the permissions of the IDE you use, he explained.
In his proof-of-concept attack, Munis shows that an MCP server can inject JavaScript code into the built-in browser that Cursor recently added to allow developers to visually test changes to their application code and to allow Cursor’s AI agent to automatically perform tasks that require browsing. Using this technique, Munis replaced the browser’s actively displayed page with a log-in prompt, like in a phishing scenario, but without the URL ever changing — in other words, injected code’s changes happen on the fly.
Of course, the impact of such an attack would depend on what the victim is doing in the browser. Developers might be displaying sensitive data from the web app they’re working on, or they might be logged into a service. It’s worth noting that the internal browser saves authentication cookies for the session and those could also be targeted.
The attack was developed to prove successful JavaScript code injection via an MCP server, but just like with the extension attack, it could be expanded to perform other malicious actions inside the Cursor IDE itself.
Defenses
Organizations must review and control, both through policy and access controls, the IDE extensions and MCP servers their developers use. They should do this just like they should be vetting application dependencies from package registries such as npm or PyPI to prevent the compromise of developer machines or inheriting vulnerabilities in their code.
Attackers are increasingly using VS Code extensions as an attack vector to target developers and it’s only a matter of time before they’ll start abusing MCP servers more widely.
“Try to find the project’s GitHub repo and review the code,” the Knostic team advised. “This is a program you install on your computer that can do anything. If there’s doubt about its credibility, DO NOT USE IT.”
Using auto-run modes, in which agents are allowed to perform tasks automatically inside the IDE without a human approving the steps, also known as YOLO mode, should also be avoided.
“Never blindly enable anything, especially MCP functionality,” the team warned. “Don’t assume that everything your AI agent generated is as you expected. Read through the code before you perform actions in the embedded browser.”
In its MCP documentation, Cursor itself warns developers to:
Verify an MCP server’s source and only install from trusted developers and repositories
Check what data and APIs the server is supposed to access
Use API keys with restricted permissions
Audit the server’s code for critical integrations
No Responses