Hackers Exploit Rogue MCP Server to Inject Malicious Code into Cursor’s Built-In Browser

Security researchers have uncovered a critical vulnerability in Cursor, the AI-powered code editor, that allows attackers to inject malicious code through rogue Model Context Protocol (MCP) servers.

Unlike VS Code, Cursor lacks integrity checks on its runtime components, making it vulnerable to tampering through MCP server registration.

The attack works by registering a local MCP server that completely circumvents Cursor’s built-in security controls. When an unsuspecting developer enables a malicious MCP server and restarts Cursor, the browser becomes compromised.

Attackers can inject arbitrary JavaScript code that hijacks the internal browser, replacing legitimate login pages with credential-harvesting fakes that send stolen credentials to remote servers.

How the Attack Functions

The vulnerability stems from Cursor’s failure to verify the integrity of Cursor-specific features during runtime.

Researchers created a proof-of-concept by modifying internal, unverified code during MCP server registration.

This modification injects malicious code into Cursor’s browser without requiring special ...