Cursorjack: Weaponizing Deeplinks To Exploit Cursor IIDE
Proofpoint, March 17,2026
This post reflects Proofpoint Threat Research observations in a controlled test environment as of January 19, 2026. Proofpoint has no commercial, customer, partner, or vendor relationship with Cursor (published by Anysphere, Inc.).
Cursor implements deeplinks for Model Context Protocol (MCP) to provide a mechanism for installation of MCP servers in Cursor IDE. This blog describes CursorJack, a method of potentially abusing Cursor MCP deeplinks that, under certain conditions, could enable code execution or allow installation of a malicious remote MCP server. The behavior described below is specific to the test environments noted and does not imply silent or zero‑click exploitation by default. It does, however, highlight the urgent need to secure agentic AI environments.