Knostic’s newly unveiled attack is similar in concept, but delivered via a malicious MCP server, it expands the attack surface beyond extensions.
“An MCP server should be treated exactly like VS Code extensions in terms of security,” Munis said. That’s because MCP servers are essentially downloaded to run on your computer, and inherit the permissions of the IDE you use, he explained.
In his proof-of-concept attack, Munis shows that an MCP server can inject JavaScript code into the built-in browser that Cursor recently added to allow developers to visually test changes to their application code and to allow Cursor’s AI agent to automatically perform tasks that require browsing. Using this technique, Munis replaced the browser’s actively displayed page with a log-in prompt, like in a phishing scenario, but without the URL ever changing — in other words, injected code’s changes happen on the fly.
