Cursor 1.0 Security: 94 Flaws and a $500K Crypto Heist

Cursor just launched version 1.0 — complete with an AI automation platform, cross-session memory, and MCP (Model Context Protocol, a standard that lets the AI editor plug into live databases and external tools in real time). For 1.8 million developers — many of whom have adopted vibe coding workflows where AI handles implementation while the developer guides intent — this milestone represents a genuinely useful upgrade. But it arrived alongside a security audit that exposed 94 vulnerabilities, a $500,000 cryptocurrency heist tied directly to Cursor users, and an enterprise limitation that blocks large teams from getting the most from the tool.

That tension — impressive new features, serious security gaps — defines where AI-assisted coding tools sit in 2026: powerful enough to reshape how software gets built, but not yet mature enough to trust carelessly.

Cursor 1.0 Features: MCP Support, Persistent Memory, and AI Automation

Cursor's jump to version 1.0 on October 11 was not a marketing exercise. Three features in particular change the daily workflow for developers who rely on AI assistance:

• MCP Support — Model Context Protocol (a communication standard that lets AI models query external services in real time) means Cursor can now read your database schema, check your documentation, or query your issue tracker while helping you write code. Previously, you had to copy and paste that context in manually every session.
• Persistent Memory — The editor now retains decisions, preferences, and project context across sessions. Instead of re-explaining your architecture every morning, Cursor remembers it. For developers who work on the same codebase for months, this makes the AI feel less like a search engine and more like a colleague.
• Automations Platform (March 5, 2026) — The newest addition lets teams configure AI coding agents (automated programs that write, review, or test code without human prompting) to run scheduled or triggered workflows — essentially cron jobs (time-based automated tasks) powered by AI instead of fixed scripts.

These features explain why Cursor has grown so fast. A tool that reads your live data, remembers your context, and executes automated tasks is fundamentally different from a chatbot that answers questions. But that deeper integration into your development environment also means the blast radius of a security failure is far larger.

94 Vulnerabilities — and Two That Could Wreck Your Machine

On October 21, security researchers published a formal audit disclosing 94 vulnerabilities across Cursor and Windsurf (another AI-powered IDE — integrated development environment, the software developers use to write and run code). Not all 94 are critical, but two classes directly threaten any developer with Cursor installed:

The Remote Code Execution Flaw (August 5, 2025)

Researchers disclosed a critical RCE (Remote Code Execution — a vulnerability that lets an attacker run any code on your computer without physical access or your password) in Cursor. The root cause: Cursor is built on Chromium (the open-source engine that powers Google Chrome), inheriting its full browser attack surface. This opens Cursor to n-day exploits (attacks targeting known but unpatched vulnerabilities) that were originally designed to compromise web browsers.

A successful attacker can read any file on your machine, exfiltrate (silently copy out) source code, steal credentials, or install persistent malware — all while Cursor sits open in the background. Cursor shipped a patch, but only users running the latest version are protected.

The Prompt Injection Flaw (Patched August 1, 2025)

A prompt injection vulnerability (a technique where hidden instructions embedded in data trick an AI into executing attacker commands) was found in Cursor's AI engine. In practice: an attacker crafts a file, README, or web page containing invisible instructions. When Cursor's AI reads that content, it follows those instructions — including running arbitrary commands (any code the attacker chooses) directly on the developer's machine.

This is not hypothetical. Prompt injection has been used successfully against other AI tools in production, and Cursor's specific implementation was vulnerable before the August patch. If you opened any untrusted files in an unpatched version, you may have been exposed.

How $500,000 Was Stolen Through Cursor Users

The most financially damaging attack did not exploit a Cursor code flaw directly. Instead, it used Cursor as a delivery mechanism. Kaspersky's threat researchers documented a campaign where attackers published malicious npm packages (npm is the world's largest software library registry; packages are reusable code modules that developers install with a single command) specifically engineered to target Cursor users on macOS.

The attack exploited a specific behavior: developers using AI coding tools trust AI-suggested commands more readily than they would a stranger's advice. Here is the exact chain Kaspersky documented:

1. Attacker uploads a package with a name one character away from a popular, trusted library — a technique called typosquatting (exploiting people's tendency to misread or mistype names).
2. The developer searches for or is suggested the package inside Cursor's environment and installs it without verifying the exact spelling.
3. Hidden code executes silently, targeting cryptocurrency wallets and stored credentials on the developer's system.
4. Funds are transferred before anything appears wrong on screen.

Total documented damage: $500,000 in cryptocurrency stolen. The attack succeeded not because Cursor's own code was broken, but because developers inside AI coding tools have a systematically lower guard against install commands — and attackers have already mapped and exploited that behavioral pattern.

The Feature Cursor Still Can't Deliver at Enterprise Scale

Even setting security aside, Cursor 1.0 carries a documented limitation that matters for any team with more than a handful of developers: multi-file refactoring breaks down in enterprise-scale codebases.

Refactoring (restructuring existing code without changing what it does — renaming functions, reorganizing modules, updating shared interfaces) is a core part of professional software development. In a monorepo (a single repository containing an entire company's codebase, used by Google, Meta, Airbnb, and most large tech companies), a single rename can touch hundreds of files. Cursor's AI handles this reliably for small projects, but fails to maintain consistency at scale — silently introducing bugs as it loses track of all affected locations.

Here is the realistic adoption picture by team size:

• Solo developers and small teams (under 10 people): Cursor 1.0 delivers clear productivity gains. Persistent memory and MCP features significantly reduce repetitive context-setting.
• Mid-size teams (10–50 developers): Benefits remain real, but security hygiene becomes a team-wide enforcement problem — one developer's vulnerable install can expose the entire organization's credentials. This applies equally to teams adopting Claude Code, GitHub Copilot, or any other AI automation tool in their stack.
• Enterprise teams (50+ developers): The multi-file refactoring limitation combined with 94 disclosed vulnerabilities makes a staged, sandboxed rollout (running in an isolated environment that cannot access production systems) the responsible path.

Five Steps Before Your Next Cursor Session

Whether you already use Cursor daily or are evaluating it for your team, security researchers recommend these specific actions right now:

• Update immediately. The August 2025 RCE and prompt injection patches are only active on the current version. Visit cursor.com and confirm you're on the latest release before opening your next project.
• Verify every package name character by character. Before running any install command — AI-suggested or manually typed — check the exact spelling against the official library's documentation page. One wrong character can be a malicious clone.
• Disable auto-run for AI terminal commands. Cursor can auto-execute commands the AI suggests. In settings, require explicit manual approval for every terminal command the AI wants to run — not just the ones that look suspicious.
• Keep Chromium-based apps updated alongside Cursor. Because Cursor shares Chrome's rendering engine, browser-engine security patches also apply to your editor. Staying current on both closes the n-day exploit window.
• For enterprise teams: run in a sandboxed environment first. Test Cursor in an isolated system that cannot reach your production databases, secrets manager, or internal networks during evaluation. Only expand access after your security team has reviewed the current vulnerability backlog. Our AI automation setup guide covers secure environment configuration for agentic coding tools.

Cursor is genuinely one of the most capable AI coding tools available today, and the 1.0 feature set reflects real engineering progress. But 1.8 million developers now share an attack surface that organized criminal groups have already successfully monetized to the tune of half a million dollars. You can learn how to configure AI coding tools safely — but treating it like any other text editor is no longer an option.

Related Content — Get Started | Guides | More News