editorially independent. We may make money when you click on links
to our partners.
Learn More
A vulnerability chain in an AI-powered code editor is raising alarms about how autonomous developer tools can be turned against their users.
Dubbed NomShub, the flaw allows attackers to gain persistent shell access simply by luring a developer into opening a malicious repository — no traditional exploit required.
“When an AI agent can execute shell commands, manage processes, and interact with authentication systems, a successful prompt injection becomes equivalent to remote code execution,” said Straiker researchers in their blog post.
Inside the NomShub Attack Chain
The NomShub vulnerability chain highlights a growing blind spot in security programs: AI-assisted development tools are blurring the line between trusted automation and untrusted input, expanding the attack surface as they execute instructions from external sources like public repositories.
In this model, simply viewing code can effectively become executing it, creating new opportunities for attackers to exploit implicit trust in AI-driven workflows.
The issue, identified in the Cursor AI code editor, shows how multiple weaknesses can be chained into a full system compromise.
NomShub combines indirect prompt injection, a sandbox escape in the command parser, and abuse of a legitimate remote tunneling feature.
What makes this attack especially dangerous is its simplicity — it requires little more than opening a malicious repository and interacting with the AI assistant as intended.
How the NomShub Attack Begins
The attack begins with how AI agents process repository content.
Threat actors embed malicious instructions in files that appear benign, often disguised as setup documentation.
When a developer asks the AI assistant for help, the agent ingests this content and executes the embedded commands as part of its normal workflow, effectively turning the AI into an execution layer for attacker-controlled input.
Sandbox Escape Through Command Parser Flaws
From there, the attack escalates through a flaw in Cursor’s command parser.
Although designed to block unsafe commands, it fails to properly account for shell built-ins such as export and cd, which do not appear as external binaries.
By chaining these built-ins with otherwise innocuous commands, attackers can bypass restrictions and write to sensitive locations in the user’s home directory.
Because macOS permits these writes by default, the sandbox protections break down, enabling a reliable escape.
Persistence and Remote Access via Tunneling
Once the sandbox is bypassed, persistence is established by modifying shell initialization files like ~/.zshenv, ensuring malicious code executes whenever a new session starts.
The attacker then leverages Cursor’s remote tunnel feature to exfiltrate credentials and maintain access over HTTPS via Azure infrastructure, allowing the activity to blend in with normal traffic and making detection difficult.
NomShub ultimately represents a multi-stage attack chain that progresses from prompt injection to sandbox escape, persistence, and remote access, all while relying on living-off-the-land techniques that abuse trusted, signed binaries like cursor-tunnel.
Because the AI agent autonomously carries out these steps under the guise of normal operation, the attack requires minimal user interaction while increasing its potential impact.
How to Reduce AI Risk
As AI-powered development tools become more embedded in daily workflows, organizations must rethink how they approach security in these environments.
Traditional controls are often not enough to address risks introduced by autonomous agents that can interpret and act on untrusted input.
The NomShub vulnerability highlights the need for a layered defense strategy that spans developer behavior, system hardening, and network controls.
- Treat all repositories and AI-ingested content as untrusted input, and require explicit human approval for high-risk agent actions before execution
- Restrict AI agent capabilities by limiting permissions, enforcing context isolation, and disabling unnecessary features like remote tunneling
- Harden developer environments using least privilege, application allowlisting, and protections for shell initialization files such as .zshenv and .bashrc.
- Use ephemeral or containerized development environments to prevent persistence and reduce the impact of compromised sessions
- Implement strong monitoring and detection, including behavioral analytics for AI-driven actions and inspection of unusual processes or outbound connections
- Enforce network and identity controls such as egress filtering, conditional access, and short-lived credentials to limit unauthorized remote access and credential exposure
- Test incident response plans and use attack simulation solutions with scenarios around prompt injection, unsafe AI-generated instructions and other AI exploitation scenarios.
Together, these controls help organizations build resilience against emerging AI-driven threats while reducing their exposure.
AI Expands Attack Surface
NomShub highlights a broader shift where attackers are targeting automation layers in addition to traditional software vulnerabilities.
As AI tools become more integrated into development workflows, they introduce new risks — particularly when automated systems can act on untrusted input.
This trend aligns with ongoing supply chain and living-off-the-land (LOTL) activity, where adversaries rely on legitimate tools and infrastructure rather than deploying easily detectable malware.
As a result, organizations may need to reassess trust boundaries and strengthen controls around how AI-driven tools interpret and execute instructions.
These evolving risks reinforce the importance of adopting zero trust solutions that continuously verify users, tools, and actions rather than assuming any component in the development environment is inherently safe.
