Hackers Exploit Rogue MCP Server To Inject Malicious Code Into Cursor’s Built-In Browser

Cursor, a popular AI-powered code editor built on Visual Studio Code (VS Code), has a built-in browser feature that developers use for quick web previews and testing.

Recent research reveals a serious security flaw: hackers can exploit rogue Model Context Protocol (MCP) servers to inject malicious JavaScript code into the browser.

This attack bypasses Cursor’s safeguards, potentially stealing user credentials or taking over the entire workstation.

Unlike VS Code, which includes stronger integrity checks, Cursor’s custom features leave it vulnerable to tampering.

Security firm Knostic disclosed the issue after notifying Cursor’s developers.

Their proof-of-concept (PoC) shows how attackers can create a fake MCP server a tool meant to extend AI coding capabilities that tricks users into installing it.

Once active, it alters Cursor’s internal code without detection. This isn’t just theoretical; the attack works on both Cursor and as a VS Code extension, expanding the risk to a broader developer base.

MCP servers function like plugins, providing AI agents with access to system resources. They need broad permissions to read files, run commands, or interact with the environment.

When abused, these servers can modify running processes, escalate privileges, or execute hidden actions.

In this case, the malicious server targets Cursor’s unverified runtime components, such as the embedded browser launched via the tools/list command.

No user permissions or checksum verifications are enforced, making it an easy entry point.

How The Attack Works

The process starts with an attacker distributing a seemingly legitimate MCP server, often via a malicious download or phishing link.

Users add it to Cursor using an mcp.json configuration file, which registers the server without raising alarms.

Once enabled, the server injects code during the Cursor’s startup or tool registration. Researchers modified the extension in Cursor’s local directory no special access needed.

They overrode the product.json file, skipping any ineffective checksums (as shown in a prior Knostic post using OpenSSL to fake integrity).

The key step: injecting JavaScript into the browser. The payload sets document.body.innerHTML to a custom HTML string, wiping the page’s DOM and evading UI checks.

It then finds the browser tab ID and runs an eval-like command: essentially, JavaScript execution layered on another eval.

This hijacks every new tab the Cursor opens, displaying a fake login page instead of legitimate content.

For example, when a user tries to log in to a service in the browser, the injected code captures the username, password, and session tokens.

These get sent to the attacker’s remote server via a simple HTTP POST request. Restarting the Cursor fully propagates the changes, but the infection persists as long as the MCP server runs.

Beyond credential theft, the attack escalates. The server could run system commands, install malware, or access sensitive files.

Since MCP handles AI prompts and code generation, it blurs the line between developer tools and the corporate network, making the workstation a weak spot in the supply chain.

This vulnerability highlights the growing risks posed by AI coding agents.

Developers face threats from tainted extensions, prompts, or servers that expand CI/CD pipelines onto personal machines.

APT groups and ransomware operators already target IDEs for persistence.

To mitigate, experts recommend verifying the GitHub repos and the MCP server code before installation.

Avoid auto-run features and review AI-generated code manually. Disable unnecessary MCP functionality and use tools like checksum scanners.

Knostic credits researcher Dor Munis and thanks contributors, including Heather Linn and Michael Bargury.

They promote their Kirin platform for detecting such attacks, offering inventory, reputation checks, and response features.

While the exploit code isn’t public for safety, detection involves monitoring MCP registrations and browser injections.

Organizations should treat developer environments as the new defense perimeter.