The attack leverages Cursor’s lack of integrity verification on Cursor-specific features, a stark contrast to VS Code’s more robust security controls, enabling complete browser hijacking and credential theft from developers.
The attack exploits a flaw in Cursor’s embedded browser component, which fails to perform integrity checks on code modifications.
By registering a local MCP server through Cursor’s configuration, attackers can bypass all built-in security controls and inject malicious JavaScript directly into the browser’s DOM.
The attacker’s payload overwrites document.body.innerHTML with attacker-controlled HTML, effectively sidestepping all UI-level security checks.
The proof-of-concept demonstrates a credential-stealing attack where a malicious MCP server modifies Cursor’s extension files without requiring any permissions.
Once enabled, the server injects code that intercepts browser tabs, replacing legitimate login pages with fake phishing interfaces.
When victims enter their credentials, the attacker harvests and transmits them to a remote server.
The attack propagates automatically each time the Cursor opens a new browser tab, creating a persistent compromise on the developer’s workstation.
This attack is not limited to credential theft; the same capability allows attackers to execute any action the user can perform, modify system components, escalate privileges, and gain new capabilities without user visibility or notification.
This vulnerability expands the attack surface for developers and AI coding agents.
MCP servers operate with broad permissions, making them attractive targets for threat actors seeking to compromise the developer’s machine, which increasingly serves as the new perimeter for enterprise cybersecurity.
The attack illustrates how malicious MCP servers, extensions, and prompts can execute code without user knowledge, potentially reaching corporate networks and sensitive environments.
Developers should carefully vet all MCP servers and extensions before installation, review source code on GitHub, disable auto-run modes, and implement additional security layers.
Organizations should monitor MCP server usage and consider enterprise solutions that provide detection, response, and reputation-based protections against supply chain attacks targeting developers and AI coding agents.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Hackers Use Rogue MCP Server to Inject Malicious Code and Take Over Cursor’s Browser appeared first on Cyber Security News.
Cybersecurity researchers have uncovered several malware campaigns targeting gamers who search for free game cheats…
Warner selectman Michael Smith was charged with tampering with public records after he replaced a…
A group of taxpayers who sued the state in 2022, challenging its school funding system,…
A Merrimack Superior Court judge denied bail Wednesday for a therapist accused of sexually assaulting…
Nine of the 10 highest-paid state employees work in New Hampshire prisons. Last year, those…
FREEPORT, Ill. (WTVO) — The city of Freeport is in the process of demolishing One…
This website uses cookies.