CURSORJACK , described by Infosecurity Magazine as a method that could enable code execution through manipulated installation links in an AI development environment, has been identified by security researchers. According to Proofpoint Threat Research, the technique centres on abusing Model Context Protocol deeplinks within the Cursor Integrated Development Environment, potentially allowing attackers to install malicious components or execute arbitrary commands under certain conditions.
The findings, based on controlled testing as of 19 January 2026, show exploitation is not automatic and depends on user interaction and system configuration, with a single click on a crafted link and approval of an installation prompt sometimes being sufficient. Proofpoint found that the process can be exploited via social engineering, as malicious links can appear legitimate while containing harmful configurations, and that the MCP deeplinks embed configuration data to launch the IDE.
The researchers recommend mitigations such as verification mechanisms for trusted MCP sources, stricter permission controls for command execution, better visibility into installation parameters, and caution with deeplinks from unknown origins. 17 March 2026.