In a revelation that exposes the fragile underbelly of AI-assisted coding, security researcher Isaac Lewis demonstrated a zero-click exploit in Cursor’s tasks.json mechanism, allowing attackers to reprogram AI agents across entire codebases without a whisper of warning. Published by The New Stack, Lewis’s proof-of-concept leverages a longstanding VS Code flaw amplified in Cursor, where Workspace Trust is disabled by default.

The exploit hinges on a malicious .vscode/tasks.json file configured to trigger on folderOpen. As soon as a developer opens a booby-trapped repository, the task executes silently, scanning for .cursor directories in the current and adjacent repos—exploiting macOS’s permissive file access. It then injects payloads to rewrite agent prompts, forcing behaviors like responding only in Spanish or, more sinisterly, exfiltrating secrets.

Lewis, a senior software developer at SIGN Fracture Care International and OWASP contributor, quipped on his blog, “That got me thinking: Could I use this to reprogram a developer’s AI agents and get them to do what I want? Even worse — could I do this to all their code repositories? Turns out: Hell yes.” His GitHub repo at github.com/ike/cursor-task-hijack provides the damning code.

Zero-Click Execution in Repo Hell

This isn’t isolated. Oasis Security’s report, detailed in Oasis Security Research, flagged Cursor’s default Workspace Trust off as the root enabler. “A malicious .vscode/tasks.json turns a casual ‘open folder’ into silent code execution in the user’s context,” they warned, noting potential for credential theft or supply-chain infections. Cursor told Oasis that enabling Workspace Trust cripples AI features—the very selling point for its 31% market penetration among firms, per Sonar surveys.

Lewis extended the threat: “If the tools are given malicious instructions, they could sabotage your code in subtle ways that are hard to detect… It is quite easy to get these genAI tools to exfiltrate sensitive developer information.” SANS Technology Institute first spotlighted the VS Code vector, as reported in their diary.

Help Net Security echoed the peril, advising task.allowAutomaticTasks: "off" or VM isolation for unknown repos, since full mitigation neuters Cursor’s appeal.

From Tasks to Agent Hijack

Lewis’s demo reprograms agents by overwriting prompt files in .cursor folders, spreading via shared repos in team workflows. The task hides itself via “never reveal” settings, evading casual scrutiny. Mitigation? Manually vet tasks.json outside the editor—a cumbersome ritual for fast-paced devs.

This builds on Cursor’s vulnerability parade. Earlier, Aim Labs’ “CurXecute” (CVE-2025-54135, CVSS 8.6), covered by The Hacker News, let prompt injections via MCP servers rewrite ~/.cursor/mcp.json for RCE. “By feeding poisoned data to the agent via MCP, an attacker can gain full remote code execution under the user privileges,” Aim noted, fixed in v1.3.

BleepingComputer reported how even rejected edits hit disk first, triggering payloads from Slack channels. Check Point’s “MCPoison” (CVE-2025-54136) allowed post-approval MCP swaps, per Check Point Research.

Persistent Threats in AI Workflows

Lakera’s CVE-2025-59944 exposed a case-sensitivity bypass for .cursor/mcp.json overwrites, as dissected in their blog. Path tricks like -bc-.cursor/./mcp.json-bc- evaded checks, enabling rule modifications for future code gens.

Pillar Security uncovered “Rules File Backdoor” in Cursor and Copilot, where hidden Unicode in .cursor/rules injects malicious scripts invisibly, per their analysis. “The AI assistant never mentions the addition of the script tag,” they observed, propagating via PRs.

ZDNet called the tasks.json autorun “critical,” urging Workspace Trust despite AI fallout, citing Oasis.

Industry Echoes and Fixes

Cursor’s security page at cursor.com/security acknowledges risks but prioritizes model providers like OpenAI. Anysphere committed to Workspace Trust guidance post-Oasis disclosure, yet defaults persist as of January 2026.

SecurityWeek noted four denylist bypasses in auto-run, now allowlisted. Tenable’s FAQ on CurXecute/MCPoison stresses MCP handling flaws.

Oasis advises hunting runOn: "folderOpen" in repos and monitoring IDE shells. Lewis stresses behavioral defenses for agentic tools: “As agentic tools take on more autonomy, static validation must evolve into behavioral and contextual defense.”

Broader AI Coding Perils

These flaws spotlight systemic risks in agentic IDEs. CyberScoop highlighted CurXecute’s intrinsic LLM prompt steering. NSFOCUS urged upgrades post-CVE-2025-54135.

Supply-chain vectors loom large: public repos laced with tasks.json could infect teams. Reddit’s r/sysadmin thread warned of silent execution, with users debating enterprise readiness.

The Hacker News linked it to Claude Code prompt injections bypassing reviews. As AI coders gain autonomy, insiders must audit configs, enforce trust prompts, and red-team relentlessly—lest trusted tools become trojans.