What happened
Cursor Desktop versions prior to 3.0.0 would automatically read and execute hook commands defined in .claude/settings.local.json within a workspace without requiring any dedicated user approval. A threat actor — or a compromised/malicious AI agent operating within the workspace — could write or deliver a crafted settings file containing arbitrary OS-level commands (e.g., credential exfiltration, backdoor installation) that execute silently when the IDE starts or a Claude session begins. This is closely related to the broader Shai-Hulud/Hades campaign class that weaponizes AI coding agent configuration files as persistence vectors.
Why it matters
AI coding agents increasingly create and modify their own configuration files as part of normal operation. This vulnerability means a malicious or compromised agent can bootstrap persistent arbitrary code execution on the developer's machine by writing a hook into the workspace config — no separate exploit needed. It also enables supply-chain attacks via poisoned repos: any developer who clones and opens a malicious repository in Cursor gets silently compromised before writing a single line of code.
Attack vector
An attacker crafts a malicious .claude/settings.local.json (or convinces a Claude agent to write one) inside a workspace or repository. When a victim opens the workspace in Cursor Desktop, the editor reads and executes the embedded Claude hook commands (e.g., SessionStart hooks) with the developer's full OS-level privileges, without presenting any approval prompt to the user.
Affected systems
Cursor Desktop (AI code editor) < 3.0.0
Mitigation
Upgrade to Cursor Desktop 3.0.0 or later, which requires explicit user approval before executing workspace-defined Claude hook commands. Advisory: https://github.com/cursor/cursor/security/advisories/GHSA-pc9j-3qc2-95wv