Original article appeared here.
The Cursor 0-day highlights a difficult reality in AI security: an AI coding tool can hand an attacker full code execution before a developer does anything at all. Researchers found that Cursor searches for a git executable inside a project’s own root folder the moment it’s opened, and if a malicious git.exe is sitting there, Cursor runs it immediately, no click, no approval dialog, no warning that anything is about to execute, just opening a cloned repository that hands an attacker arbitrary code execution as the logged-in user, a flaw reported seven months ago that remains unpatched today.
Gidi Cohen, CEO & Co-Founder, Bonfy.AI:
“This isn’t a fringe bug but a wake-up call for how we think about the trust put in modern developer tools.
Opening a project should never quietly turn into executing code, yet that’s exactly what’s happening here when AI is part of the equation, and this is not just happening with one vendor. This is a broader industry pattern where everyday workflows like cloning a repo are being treated as inherently safe, when they clearly aren’t. Developers are constantly pulling in third-party code (often with AI in the loop), but assuming that it is safe is not something we can just assume.
What’s just as much of an issues is how the response is handled. Delays, downplaying the severity, and labeling issues as “informational” signals a gap in how seriously this type of risk is being taken. The technical flaw matters, but the lack of urgency around it matters even more.
For leadership, the takeaway is straightforward. Repositories should be treated as executable content. Trust boundaries need to be explicit and enforced, not implied. And how organizations respond to vulnerabilities is now a direct reflection of their credibility, not just their security posture.
This isn’t about Cursor or any single tool. It’s about an industry still catching up to the realities of AI-assisted development. Until “open” no longer implies “execute,” this gap will continue to be exploited, mostly unnoticed and unmonitored.”
Original article appeared here.