A method that could enable code execution through manipulated installation links in an AI development environment has been identified by security researchers.
The technique, dubbed CursorJack by Proofpoint Threat Research, centres on the abuse of Model Context Protocol (MCP) deeplinks within the Cursor Integrated Development Environment (IDE), potentially allowing attackers to install malicious components or execute arbitrary commands under certain conditions.
The findings, based on controlled testing as of January 19, 2026, show that exploitation is not automatic. Instead, it depends on user interaction and system configuration. A single click on a crafted link, followed by approval of an installation prompt, may be sufficient to trigger the behaviour in some environments.
Manipulating MCP Deeplinks
Cursor uses a custom URL scheme to streamline MCP server installation, embedding configuration data directly into deeplinks that launch the IDE when clicked.
Proofpoint found that this process can be exploited through social engineering as malicious links can be crafted to appear legitimate while containing harmful configurations.
When users click these links and approve the installation prompt, the IDE may execute commands with the same privileges as the user. Because the installation dialogue does not differentiate between trusted and untrusted sources, attackers can disguise their payloads as routine tools.
This creates a pathway for both local code execution and the installation of remote malicious servers, depending on the configuration.
Security Implications For Developers
The research highlights risks for developers, who often operate with elevated permissions and access sensitive assets such as API keys, credentials and source code. While no zero-click exploitation was observed, the reliance on user approval introduces a human factor that attackers may exploit.
Read more on AI development security risks: ContextCrush Flaw Exposes AI Development Tools to Attacks
The study also noted that modern development workflows, particularly those involving AI tools, may condition users to accept prompts without thorough review. This behaviour increases exposure to deceptive installation requests that appear routine.
Researchers recommend several mitigation strategies:
-
Introduce verification mechanisms for trusted MCP sources
-
Implement stricter permission controls for command execution
-
Improve visibility into installation parameters
-
Treat deeplinks from unknown origins with caution
“The MCP ecosystem requires fundamental security improvements embedded directly into the framework architecture,” Proofpoint wrote, “rather than relying on additional security tools or user vigilance as the primary defense.”
Proofpoint published its own proof-of-concept cod on . The researchers notified Cursor through its vulnerability‑reporting channel.
Image credit: bella1105 / Shutterstock.com
