Anysphere
Company Details
Linkedin ID:
anysphereinc
Website:
Employees number:
1,393
Number of followers:
29,557
NAICS:
5112
Industry Type:
Homepage:
www.anysphere.co
IP Addresses:
0
Company ID:
ANY_3162007
Scan Status:
In-progress
Anysphere Company CyberSecurity Posture
www.anysphere.co
We're Anysphere, the team behind Cursor. Our mission is to automate coding. Our approach is to build the engineer of the future: a human-AI programmer that's an order of magnitude more effective than any one programmer. This hybrid engineer will have effortless control over their codebase and no low-entropy keystrokes. They will iterate at the speed of their judgment, even in the most complex systems. Using a combination of AI and human ingenuity, they will out-smart and out-engineer the best pure-AI system. We are a group of researchers and engineers. We build software and models to invent at the edge of what's useful and what's possible. Cursor has already improved the lives of millions of programmers.
Anysphere A.I CyberSecurity Scoring
Anysphere Risk Score (AI oriented)Between 750 and 799
Anysphere
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Anysphere Global Score (TPRM)XXXX
Anysphere
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Anysphere Company CyberSecurity News & History
Past Incidents
3
Attack Types
1
Cursor
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A critical security vulnerability was discovered in Cursor, an AI-powered fork of Visual Studio Code, where a disabled-by-default Workspace Trust setting allowed arbitrary code execution when a maliciously crafted repository was opened. Attackers could exploit this by embedding hidden *autorun* instructions in `.vscode/tasks.json`, triggering silent code execution upon folder opening. This flaw exposed users to supply chain attacks, risking sensitive credential leaks, unauthorized file modifications, or broader system compromise. The issue stemmed from Cursor’s default configuration, which prioritized convenience over security, leaving developers vulnerable to deceptive repositories hosted on platforms like GitHub. While mitigations (e.g., enabling Workspace Trust, auditing untrusted repos) were advised, the flaw highlighted systemic risks in AI-driven development tools, where classical security oversights (e.g., misconfigurations, missing sandboxing) amplify attack surfaces. The vulnerability underscored the broader trend of prompt injection and jailbreak risks in AI coding assistants, where malicious actors exploit trust gaps to bypass security reviews or execute unauthorized code.
Cursor
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The AI-powered developer tool Cursor was found to have a critical vulnerability (CVE-2025-54136, dubbed MCPoison), allowing attackers to permanently inject malicious code into development projects via its Model Context Protocol (MCP) system. Once a seemingly harmless MCP configuration is approved by a developer, attackers can later replace it with malicious commands. The modified code executes automatically every time the project is opened, without further warnings or approvals, creating a persistent backdoor. This flaw enables unauthorized access to sensitive data (e.g., credentials, internal documents) stored locally by developers, intellectual property theft through source code manipulation, and compromise of collaborative environments especially in startups and research teams where Cursor is widely used. The vulnerability exploits blind trust in AI-driven automation, turning convenience into a long-term security risk. While a patch was released on July 30, 2025, the exposure period left organizations vulnerable to stealthy, continuous attacks with potential for large-scale data breaches or supply-chain compromises if exploited in shared repositories.
Cursor
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A high-severity vulnerability (CVE-2025-54136, CVSS 7.2), dubbed MCPoison, was discovered in Cursor’s AI-powered code editor, enabling remote and persistent code execution via manipulated Model Context Protocol (MCP) configurations. Attackers could exploit this by embedding a benign MCP config in a shared GitHub repository, waiting for victim approval, then silently replacing it with malicious payloads (e.g., backdoors, scripts like `calc.exe`). The flaw stemmed from Cursor’s trust model, which indefinitely trusted approved configs even after modification, exposing organizations to supply chain risks, data theft, and intellectual property exfiltration without detection. The issue was patched in Cursor v1.3 (July 2025) by enforcing re-approval for MCP config changes. However, the vulnerability underscored broader risks in AI-assisted development, including AI supply chain attacks, model poisoning, and unsafe code generation. Research highlighted that 45% of LLM-generated code (Java worst at 72%) introduced OWASP Top 10 vulnerabilities, while novel attack vectors like LegalPwn (prompt injection via legal disclaimers), Man-in-the-Prompt (rogue browser extensions), and MAS hijacking (multi-agent system compromise) further demonstrated systemic weaknesses in AI security paradigms. The flaw’s exploitation could lead to unauthorized data access, lateral movement, and persistent compromise of developer workflows, amplifying risks for enterprises integrating LLMs into critical systems.
Anysphere Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Anysphere
Incidents vs Software Development Industry Average (This Year)
No incidents recorded for Anysphere in 2026.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Anysphere in 2026.
Incident Types Anysphere vs Software Development Industry Avg (This Year)
No incidents recorded for Anysphere in 2026.
Incident History — Anysphere (X = Date, Y = Severity)
Anysphere cyber incidents detection timeline including parent company and subsidiaries
Anysphere Company Subsidiaries
We're Anysphere, the team behind Cursor. Our mission is to automate coding. Our approach is to build the engineer of the future: a human-AI programmer that's an order of magnitude more effective than any one programmer. This hybrid engineer will have effortless control over their codebase and no low-entropy keystrokes. They will iterate at the speed of their judgment, even in the most complex systems. Using a combination of AI and human ingenuity, they will out-smart and out-engineer the best pure-AI system. We are a group of researchers and engineers. We build software and models to invent at the edge of what's useful and what's possible. Cursor has already improved the lives of millions of programmers.
Loading...
Anysphere Similar Companies
Pitney Bowes is a technology-driven company that provides digital shipping solutions, mailing innovation, and financial services to clients around the world – including more than 90 percent of the Fortune 500. Small businesses to large enterprises, and government entities rely on Pitney Bowes to red
NetSuite
Founded in 1998, Oracle NetSuite is the world’s first cloud company. For more than 25 years, NetSuite has helped businesses gain the insight, control, and agility to build and grow a successful business. First focused on financials and ERP, we now provide an AI-powered unified business system that
Xiaomi Corporation was founded in April 2010 and listed on the Main Board of the Hong Kong Stock Exchange on July 9, 2018 (1810.HK). Xiaomi is a consumer electronics and smart manufacturing company with smartphones and smart hardware connected by an IoT platform at its core. Embracing our vision
At Bolt, we're building a future where people don’t need to own personal cars to move around safely and conveniently. A future where people have the freedom to use transport on demand, choosing whatever vehicle's best for each occasion — be it a car, scooter, or e-bike. We're helping over 200 mill
Amazon is guided by four principles: customer obsession rather than competitor focus, passion for invention, commitment to operational excellence, and long-term thinking. We are driven by the excitement of building technologies, inventing products, and providing services that change lives. We embrac
Databricks
Databricks is the Data and AI company. More than 20,000 organizations worldwide — including adidas, AT&T, Bayer, Block, Mastercard, Rivian, Unilever, and over 60% of the Fortune 500 — rely on Databricks to build and scale data and AI apps, analytics and agents. Headquartered in San Francisco with 30
Snowflake
Snowflake delivers the AI Data Cloud — a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the AI Data Cloud, organizations unite their siloed data, easily discover and securely share governed data, and execute diverse analy
Zoho
Zoho offers beautifully smart software to help you grow your business. With over 100 million users worldwide, Zoho's 55+ products aid your sales and marketing, support and collaboration, finance, and recruitment needs—letting you focus only on your business. Zoho respects user privacy and does not h
NiCE
NiCE is transforming the world with AI that puts people first. Our purpose-built AI-powered platforms automate engagements into proactive, safe, intelligent actions, empowering individuals and organizations to innovate and act, from interaction to resolution. Trusted by organizations throughout 150
.png)
Anysphere CyberSecurity News
December 02, 2025 08:00 AM
10 Funding Rounds To Know About in November, 2025
As the end of the year draws nearer, startups all over the world are racing to start the new year with their fundraises locked in.
November 20, 2025 08:00 AM
Fake CEO Claim on LinkedIn Triggers Debate on Digital Misinformation
A Pune man's false claim of leading a billion-dollar US AI startup exposes gaps in online identity verification.
October 14, 2025 07:00 AM
Exclusive: Cursor-Maker Anysphere in Talks to Raise $1 Billion at $27 Billion Valuation
Coatue Management and Accel have been in talks to make major investments in Anysphere, which makes popular coding assistant Cursor,...
September 19, 2025 07:00 AM
Wilson Sonsini Advises Anysphere on Acquisition of Koala
Anysphere, the company behind the artificial intelligence coding application Cursor, acquired Koala, an AI-powered customer relationship...
September 11, 2025 07:00 AM
Default Cursor setting can be exploited to run malicious code on developers’ machines
A default setting in Cursor, a popular AI source-code editor, could be used by attackers to covertly run malicious code on users' computers.
July 22, 2025 07:00 AM
The State Of Startups In Mid-2025 In 8 Charts: Global Funding And M&A Surge As AI Fervor Continues
Global startup funding reached $91 billion in Q2 2025, according to Crunchbase data — an 11% increase year over year but 20% drop quarter to...
July 18, 2025 07:00 AM
Cursor snaps up enterprise startup Koala in challenge to GitHub Copilot
Cursor maker Anysphere is snapping up top talent from AI enterprise startups in an effort to compete with Microsoft's GitHub Copilot.
June 05, 2025 07:00 AM
Anysphere raises $900M for its AI-powered Cursor code editor
Code editor startup Anysphere Inc. today announced that it has closed a $900 million funding round. OpenAI backer Thrive Capital led the raise.
April 18, 2025 07:00 AM
Cursor AI's own support bot hallucinated its usage policy
Users of Cursor AI experienced the limitations of AI firsthand when the programming tool's own AI support bot hallucinated a policy limitation that doesn't...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Anysphere CyberSecurity History Information
Official Website of Anysphere
The official website of Anysphere is www.anysphere.co.
Anysphere’s AI-Generated Cybersecurity Score
According to Rankiteo, Anysphere’s AI-generated cybersecurity score is 751, reflecting their Fair security posture.
How many security badges does Anysphere’ have ?
According to Rankiteo, Anysphere currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Anysphere been affected by any supply chain cyber incidents ?
According to Rankiteo, Anysphere has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
Does Anysphere have SOC 2 Type 1 certification ?
According to Rankiteo, Anysphere is not certified under SOC 2 Type 1.
Does Anysphere have SOC 2 Type 2 certification ?
According to Rankiteo, Anysphere does not hold a SOC 2 Type 2 certification.
Does Anysphere comply with GDPR ?
According to Rankiteo, Anysphere is not listed as GDPR compliant.
Does Anysphere have PCI DSS certification ?
According to Rankiteo, Anysphere does not currently maintain PCI DSS compliance.
Does Anysphere comply with HIPAA ?
According to Rankiteo, Anysphere is not compliant with HIPAA regulations.
Does Anysphere have ISO 27001 certification ?
According to Rankiteo,Anysphere is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Anysphere
Anysphere operates primarily in the Software Development industry.
Number of Employees at Anysphere
Anysphere employs approximately 1,393 people worldwide.
Subsidiaries Owned by Anysphere
Anysphere presently has no subsidiaries across any sectors.
Anysphere’s LinkedIn Followers
Anysphere’s official LinkedIn profile has approximately 29,557 followers.
NAICS Classification of Anysphere
Anysphere is classified under the NAICS code 5112, which corresponds to Software Publishers.
Anysphere’s Presence on Crunchbase
No, Anysphere does not have a profile on Crunchbase.
Anysphere’s Presence on LinkedIn
Yes, Anysphere maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/anysphereinc.
Cybersecurity Incidents Involving Anysphere
As of January 24, 2026, Rankiteo reports that Anysphere has experienced 3 cybersecurity incidents.
Number of Peer and Competitor Companies
Anysphere has an estimated 28,193 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Anysphere ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability.
How does Anysphere detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with oasis security (vulnerability analysis), third party assistance with checkmarx (supply chain security report), and containment measures with enable workspace trust in cursor, containment measures with audit repositories before opening in cursor, containment measures with use alternative editors for untrusted projects, containment measures with monitor claude code for unexpected data access, containment measures with sandbox ai-generated test cases, and remediation measures with cursor: enable workspace trust by default (pending), remediation measures with anthropic: patch websocket auth bypass (cve-2025-52882), remediation measures with fix sqli in postgres mcp, remediation measures with address path traversal in microsoft nlweb, remediation measures with mitigate open redirect/xss in base44, remediation measures with improve cross-origin controls in ollama desktop, and communication strategy with public disclosure by oasis security/checkmarx, communication strategy with anthropic advisories on prompt injection risks, communication strategy with imperva blog on classical security failures in ai tools, and enhanced monitoring with monitor ai tool interactions (e.g., claude code file edits), enhanced monitoring with log websocket connections in ide extensions, and and third party assistance with check point research, and containment measures with patch release (cursor v1.3), containment measures with re-approval requirement for mcp configurations, and remediation measures with codebase audit, remediation measures with trust model redesign for mcp configurations, and communication strategy with public advisory, communication strategy with responsible disclosure coordination, and and third party assistance with check point research (cpr), and containment measures with security patch (july 30, 2025), containment measures with mcp configuration validation, and remediation measures with code audits for mcp files, remediation measures with access control restrictions, remediation measures with developer awareness training, and communication strategy with public disclosure via blog post, communication strategy with technical details and demo video, communication strategy with recommendations for mitigation, and enhanced monitoring with mcp configuration changes, enhanced monitoring with repository activity..
Incident Details
Can you provide details on each incident ?
Title: Cursor AI-Powered Code Editor Arbitrary Code Execution Vulnerability via Malicious Repository
Description: A security weakness in the AI-powered code editor **Cursor** allows arbitrary code execution when a maliciously crafted repository is opened. The issue arises because **Workspace Trust** (a VS Code security feature) is **disabled by default** in Cursor, enabling attackers to auto-execute malicious tasks via `.vscode/tasks.json` when a folder is opened. This could lead to credential leaks, file modifications, or broader system compromise. The vulnerability exposes users to **supply chain attacks** via booby-trapped repositories hosted on platforms like GitHub. Users are advised to enable Workspace Trust, audit untrusted repositories, and use alternative editors for suspicious projects. The incident highlights broader risks in AI-powered coding tools, including **prompt injection/jailbreak attacks** (e.g., tricking Claude Code into ignoring vulnerabilities or executing malicious test cases), **WebSocket authentication bypass (CVE-2025-52882)**, **SQL injection in Postgres MCP**, **path traversal in Microsoft NLWeb**, and **open redirect/XSS in Base44**. Anthropic and other vendors have acknowledged these risks, emphasizing the need for sandboxing, monitoring, and classical security controls in AI-driven development environments.
Date Publicly Disclosed: 2024-10-01T00:00:00Z
Type: Arbitrary Code Execution
Attack Vector: Malicious Repository (GitHub/other platforms)Auto-execution via `.vscode/tasks.json` (Workspace Trust disabled)Prompt Injection in AI Code Assistants (Claude Code, etc.)WebSocket Authentication Bypass (CVE-2025-52882)SQL Injection (Postgres MCP)Path Traversal (Microsoft NLWeb)Open Redirect/Stored XSS (Base44)
Vulnerability Exploited: Disabled Workspace Trust in Cursor (VS Code fork)Auto-execution of `runOptions.runOn: 'folderOpen'` in tasksLack of sandboxing in AI-generated test cases (Claude Code)Incomplete cross-origin controls (Ollama Desktop)Incorrect authorization (Lovable, CVE-2025-48757)WebSocket auth bypass (CVE-2025-52882, CVSS: 8.8)SQLi in Postgres MCP (bypassing read-only restrictions)Path traversal in Microsoft NLWeb (reading `/etc/passwd`, `.env`)
Motivation: Supply chain compromiseCredential theftData exfiltrationSystem persistenceAI model manipulation (prompt injection)
Title: Remote Code Execution Vulnerability in Cursor AI (CVE-2025-54136 / MCPoison)
Description: A high-severity security flaw in the AI-powered code editor Cursor, codenamed MCPoison (CVE-2025-54136, CVSS score: 7.2), allows remote code execution by exploiting a quirk in Model Context Protocol (MCP) server configurations. Attackers can modify an approved MCP configuration file in a shared GitHub repository or locally to achieve persistent code execution without triggering warnings. The vulnerability was patched in Cursor version 1.3 by requiring re-approval for MCP configuration changes.
Date Publicly Disclosed: 2025-07-16
Date Resolved: 2025-07-31
Type: Vulnerability
Attack Vector: Shared Repository (GitHub)Local File ModificationMCP Configuration PoisoningSupply Chain Compromise
Vulnerability Exploited: CVE-2025-54136 (MCPoison) - Trust Model Flaw in MCP Configuration Handling
Title: MCPoison Vulnerability in Cursor AI-Based Developer Tool (CVE-2025-54136)
Description: Security researchers from Check Point discovered a critical vulnerability (CVE-2025-54136, dubbed 'MCPoison') in the AI-based developer tool Cursor. The flaw allows attackers to permanently inject malicious code into development projects via the Model Context Protocol (MCP) configuration without user detection or re-prompting. Once an MCP configuration is approved, it remains active even if later manipulated, enabling silent, persistent remote code execution each time the project is opened. This poses risks such as backdoor access, data theft, intellectual property loss, and erosion of trust in AI tools. The vulnerability was patched in a security update released on July 30, 2025.
Date Detected: 2025-07-16
Date Publicly Disclosed: 2025-07-30
Date Resolved: 2025-07-30
Type: Vulnerability Exploitation
Attack Vector: Compromised Software DependencyManipulated Configuration Files (MCP)Social Engineering (Trusted Repository Abuse)
Vulnerability Exploited: CVE-2025-54136 (MCPoison - MCP Trust Bypass)
Motivation: EspionageIntellectual Property TheftPersistent AccessData Exfiltration
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Malicious repository (GitHub, etc.) with crafted `.vscode/tasks.json`Prompt injection via external files/websites (Claude Code)WebSocket connection to unauthenticated local server (CVE-2025-52882), Shared GitHub RepositoryLocal MCP Configuration File and Compromised MCP Configuration in Shared Repository.
Impact of the Incidents
What was the impact of each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Data Compromised: Sensitive credentials, Source code/files, System configurations (e.g., `/etc/passwd`), Cloud credentials (.env files), Project data (via ai tools like claude code)
Systems Affected: Cursor (AI-powered VS Code fork)Claude Code (Anthropic)Postgres MCP serverMicrosoft NLWebLovable (CVE-2025-48757)Base44Ollama DesktopDeveloper workstations (via malicious repositories)
Operational Impact: Compromised development environmentsMalicious code pushed to production (via tricked AI reviews)Loss of trust in AI-assisted coding toolsIncident response overhead for affected teams
Brand Reputation Impact: Erosion of trust in Cursor/Anthropic security practicesNegative perception of AI-driven development safety
Identity Theft Risk: High (via credential leaks)
Incident : Vulnerability ANY3152731110525
Data Compromised: Potential intellectual property theft, Codebase compromise, Sensitive project data
Systems Affected: Cursor AI (versions < 1.3)AI-Assisted Development EnvironmentsLLM-Integrated Workflows
Operational Impact: Supply Chain Risk ExposureLoss of Trust in AI ToolsDisruption of Development Workflows
Brand Reputation Impact: Potential Erosion of Trust in AI Code EditorsConcerns Over AI Security Posture
Incident : Vulnerability Exploitation ANY5853058110525
Data Compromised: Source code, Local developer credentials, Internal documentation, Access tokens
Systems Affected: Cursor IDE (AI-Powered Developer Tool)Projects Using MCP Configurations
Operational Impact: Disruption of Development WorkflowsLoss of Developer ProductivityIncident Response Overhead
Brand Reputation Impact: Erosion of Trust in AI ToolsNegative Perception of Cursor's Security Practices
Identity Theft Risk: ['Developer Credentials', 'API Keys']
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credentials, Source Code, System Files, Environment Variables, Project Metadata, , Code Repositories, Mcp Configuration Files, Potential Intellectual Property, , Source Code, Developer Credentials, Internal Documentation and .
Which entities were affected by each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Entity Name: Cursor
Entity Type: Software Vendor
Industry: Technology (AI/Developer Tools)
Customers Affected: All Cursor users (especially those opening untrusted repositories)
Incident : Arbitrary Code Execution ANY2753327100225
Entity Name: Anthropic
Entity Type: AI Company
Industry: Artificial Intelligence
Location: United States
Customers Affected: Claude Code users (risk of prompt injection, SQLi, WebSocket bypass)
Incident : Arbitrary Code Execution ANY2753327100225
Entity Name: Developers using AI-assisted tools
Entity Type: End Users
Industry: Software Development
Location: Global
Incident : Vulnerability ANY3152731110525
Entity Name: Cursor
Entity Type: Private Company
Industry: Software Development, AI/ML, Developer Tools
Incident : Vulnerability Exploitation ANY5853058110525
Entity Name: Cursor
Entity Type: Private Company
Industry: Software Development (AI-Powered Tools)
Customers Affected: Developers, Startups, Research Teams
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Third Party Assistance: Oasis Security (Vulnerability Analysis), Checkmarx (Supply Chain Security Report).
Containment Measures: Enable Workspace Trust in CursorAudit repositories before opening in CursorUse alternative editors for untrusted projectsMonitor Claude Code for unexpected data accessSandbox AI-generated test cases
Remediation Measures: Cursor: Enable Workspace Trust by default (pending)Anthropic: Patch WebSocket auth bypass (CVE-2025-52882)Fix SQLi in Postgres MCPAddress path traversal in Microsoft NLWebMitigate open redirect/XSS in Base44Improve cross-origin controls in Ollama Desktop
Communication Strategy: Public disclosure by Oasis Security/CheckmarxAnthropic advisories on prompt injection risksImperva blog on classical security failures in AI tools
Enhanced Monitoring: Monitor AI tool interactions (e.g., Claude Code file edits)Log WebSocket connections in IDE extensions
Incident : Vulnerability ANY3152731110525
Incident Response Plan Activated: True
Third Party Assistance: Check Point Research.
Containment Measures: Patch Release (Cursor v1.3)Re-approval Requirement for MCP Configurations
Remediation Measures: Codebase AuditTrust Model Redesign for MCP Configurations
Communication Strategy: Public AdvisoryResponsible Disclosure Coordination
Incident : Vulnerability Exploitation ANY5853058110525
Incident Response Plan Activated: True
Third Party Assistance: Check Point Research (Cpr).
Containment Measures: Security Patch (July 30, 2025)MCP Configuration Validation
Remediation Measures: Code Audits for MCP FilesAccess Control RestrictionsDeveloper Awareness Training
Communication Strategy: Public Disclosure via Blog PostTechnical Details and Demo VideoRecommendations for Mitigation
Enhanced Monitoring: MCP Configuration ChangesRepository Activity
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Oasis Security (vulnerability analysis), Checkmarx (supply chain security report), , Check Point Research, , Check Point Research (CPR), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Arbitrary Code Execution ANY2753327100225
Type of Data Compromised: Credentials, Source code, System files, Environment variables, Project metadata
Sensitivity of Data: High (includes authentication secrets, proprietary code)
Data Exfiltration: Possible (via malicious tasks or prompt injection)
File Types Exposed: .vscode/tasks.json.envDatabase configurationsSystem files (e.g., /etc/passwd)
Personally Identifiable Information: Potential (if credentials include PII)
Incident : Vulnerability ANY3152731110525
Type of Data Compromised: Code repositories, Mcp configuration files, Potential intellectual property
Sensitivity of Data: High (Code Execution Capability)Medium (Development Workflow Disruption)
Data Exfiltration: Possible (if exploited)
File Types Exposed: .cursor/rules/mcp.jsonPotential Script Files
Incident : Vulnerability Exploitation ANY5853058110525
Type of Data Compromised: Source code, Developer credentials, Internal documentation
Sensitivity of Data: High (Intellectual Property)High (Access Credentials)
File Types Exposed: MCP Configuration FilesProject Source Files
Personally Identifiable Information: Developer Identities (via Credentials)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Cursor: Enable Workspace Trust by default (pending), Anthropic: Patch WebSocket auth bypass (CVE-2025-52882), Fix SQLi in Postgres MCP, Address path traversal in Microsoft NLWeb, Mitigate open redirect/XSS in Base44, Improve cross-origin controls in Ollama Desktop, , Codebase Audit, Trust Model Redesign for MCP Configurations, , Code Audits for MCP Files, Access Control Restrictions, Developer Awareness Training, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by enable workspace trust in cursor, audit repositories before opening in cursor, use alternative editors for untrusted projects, monitor claude code for unexpected data access, sandbox ai-generated test cases, , patch release (cursor v1.3), re-approval requirement for mcp configurations, , security patch (july 30, 2025), mcp configuration validation and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Vulnerability Exploitation ANY5853058110525
Data Exfiltration: True
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Lessons Learned: Default security settings in AI tools must prioritize safety over convenience (e.g., Workspace Trust enabled by default)., AI-assisted coding introduces novel attack vectors (prompt injection, jailbreaks) that bypass traditional controls., Classical vulnerabilities (SQLi, XSS, path traversal) remain critical even in AI-driven environments., Sandboxing and input validation are essential for AI-generated code/test cases., Supply chain risks extend to AI model integrations (e.g., MCP, Google APIs)., Developer education is key to mitigating social engineering via malicious repositories.
Incident : Vulnerability ANY3152731110525
Lessons Learned: AI tool trust models require dynamic validation mechanisms, not static approvals., Supply chain risks in AI/ML ecosystems extend beyond traditional software dependencies., MCP and similar LLM integration protocols need robust change-detection safeguards., Developer tools with LLM integration create new attack surfaces for code execution., Static approval mechanisms for AI configurations are insufficient against dynamic threats.
Incident : Vulnerability Exploitation ANY5853058110525
Lessons Learned: AI-powered tools introduce new attack surfaces by automating trust in workflows., Permanent approval mechanisms for configurations can be exploited for persistent access., Collaborative environments amplify risks when malicious changes go unnoticed., Blind trust in automation undermines security, especially in shared repositories.
What recommendations were made to prevent future incidents ?
Incident : Arbitrary Code Execution ANY2753327100225
Recommendations: For Organizations: Include AI tool risks in third-party security assessments., Restrict AI code assistants to non-production environments where possible., Deploy network controls to limit outbound connections from IDEs., Train developers on AI-specific threats (e.g., prompt injection)., Monitor for anomalous activity in version control systems (e.g., sudden malicious commits)., For Organizations: Include AI tool risks in third-party security assessments., Restrict AI code assistants to non-production environments where possible., Deploy network controls to limit outbound connections from IDEs., Train developers on AI-specific threats (e.g., prompt injection)., Monitor for anomalous activity in version control systems (e.g., sudden malicious commits)., For Organizations: Include AI tool risks in third-party security assessments., Restrict AI code assistants to non-production environments where possible., Deploy network controls to limit outbound connections from IDEs., Train developers on AI-specific threats (e.g., prompt injection)., Monitor for anomalous activity in version control systems (e.g., sudden malicious commits)..
Incident : Vulnerability ANY3152731110525
Recommendations: Implement runtime integrity checks for AI configuration files (e.g., MCP)., Adopt zero-trust principles for AI tool integrations in development workflows., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Conduct regular security audits of AI/ML supply chain dependencies., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution).Implement runtime integrity checks for AI configuration files (e.g., MCP)., Adopt zero-trust principles for AI tool integrations in development workflows., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Conduct regular security audits of AI/ML supply chain dependencies., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution).Implement runtime integrity checks for AI configuration files (e.g., MCP)., Adopt zero-trust principles for AI tool integrations in development workflows., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Conduct regular security audits of AI/ML supply chain dependencies., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution).Implement runtime integrity checks for AI configuration files (e.g., MCP)., Adopt zero-trust principles for AI tool integrations in development workflows., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Conduct regular security audits of AI/ML supply chain dependencies., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution).Implement runtime integrity checks for AI configuration files (e.g., MCP)., Adopt zero-trust principles for AI tool integrations in development workflows., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Conduct regular security audits of AI/ML supply chain dependencies., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution).Implement runtime integrity checks for AI configuration files (e.g., MCP)., Adopt zero-trust principles for AI tool integrations in development workflows., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Conduct regular security audits of AI/ML supply chain dependencies., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution).Implement runtime integrity checks for AI configuration files (e.g., MCP)., Adopt zero-trust principles for AI tool integrations in development workflows., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Conduct regular security audits of AI/ML supply chain dependencies., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution).
Incident : Vulnerability Exploitation ANY5853058110525
Recommendations: Treat MCP files with the same rigor as source code (version control, audits)., Avoid approving MCP configurations without full understanding of their functionality., Restrict write access to repositories to authorized personnel only., Implement continuous monitoring for changes to MCP configurations., Educate developers on the risks of automated workflows and social engineering tactics., Adopt a zero-trust approach to third-party integrations in development tools.Treat MCP files with the same rigor as source code (version control, audits)., Avoid approving MCP configurations without full understanding of their functionality., Restrict write access to repositories to authorized personnel only., Implement continuous monitoring for changes to MCP configurations., Educate developers on the risks of automated workflows and social engineering tactics., Adopt a zero-trust approach to third-party integrations in development tools.Treat MCP files with the same rigor as source code (version control, audits)., Avoid approving MCP configurations without full understanding of their functionality., Restrict write access to repositories to authorized personnel only., Implement continuous monitoring for changes to MCP configurations., Educate developers on the risks of automated workflows and social engineering tactics., Adopt a zero-trust approach to third-party integrations in development tools.Treat MCP files with the same rigor as source code (version control, audits)., Avoid approving MCP configurations without full understanding of their functionality., Restrict write access to repositories to authorized personnel only., Implement continuous monitoring for changes to MCP configurations., Educate developers on the risks of automated workflows and social engineering tactics., Adopt a zero-trust approach to third-party integrations in development tools.Treat MCP files with the same rigor as source code (version control, audits)., Avoid approving MCP configurations without full understanding of their functionality., Restrict write access to repositories to authorized personnel only., Implement continuous monitoring for changes to MCP configurations., Educate developers on the risks of automated workflows and social engineering tactics., Adopt a zero-trust approach to third-party integrations in development tools.Treat MCP files with the same rigor as source code (version control, audits)., Avoid approving MCP configurations without full understanding of their functionality., Restrict write access to repositories to authorized personnel only., Implement continuous monitoring for changes to MCP configurations., Educate developers on the risks of automated workflows and social engineering tactics., Adopt a zero-trust approach to third-party integrations in development tools.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Default security settings in AI tools must prioritize safety over convenience (e.g., Workspace Trust enabled by default).,AI-assisted coding introduces novel attack vectors (prompt injection, jailbreaks) that bypass traditional controls.,Classical vulnerabilities (SQLi, XSS, path traversal) remain critical even in AI-driven environments.,Sandboxing and input validation are essential for AI-generated code/test cases.,Supply chain risks extend to AI model integrations (e.g., MCP, Google APIs).,Developer education is key to mitigating social engineering via malicious repositories.AI tool trust models require dynamic validation mechanisms, not static approvals.,Supply chain risks in AI/ML ecosystems extend beyond traditional software dependencies.,MCP and similar LLM integration protocols need robust change-detection safeguards.,Developer tools with LLM integration create new attack surfaces for code execution.,Static approval mechanisms for AI configurations are insufficient against dynamic threats.AI-powered tools introduce new attack surfaces by automating trust in workflows.,Permanent approval mechanisms for configurations can be exploited for persistent access.,Collaborative environments amplify risks when malicious changes go unnoticed.,Blind trust in automation undermines security, especially in shared repositories.
References
Where can I find more information about each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Source: Oasis Security Analysis
URL: https://oasis.security/blog/cursor-workspace-trust-vulnerability
Date Accessed: 2024-10-01
Incident : Arbitrary Code Execution ANY2753327100225
Source: Checkmarx Report on AI Supply Chain Risks
URL: https://checkmarx.com/blog/ai-driven-development-security-risks
Date Accessed: 2024-09-28
Incident : Arbitrary Code Execution ANY2753327100225
Source: Anthropic Security Advisory (Claude Code)
URL: https://anthropic.com/security/prompt-injection-risks
Date Accessed: 2024-09-30
Incident : Arbitrary Code Execution ANY2753327100225
Source: Imperva Blog on AI Security Failures
URL: https://imperva.com/blog/ai-driven-development-security-gaps
Date Accessed: 2024-10-02
Incident : Arbitrary Code Execution ANY2753327100225
Source: CVE-2025-52882 (WebSocket Auth Bypass)
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52882
Date Accessed: 2024-10-01
Incident : Arbitrary Code Execution ANY2753327100225
Source: CVE-2025-48757 (Lovable Authorization Bypass)
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48757
Date Accessed: 2024-09-29
Incident : Vulnerability ANY3152731110525
Source: Check Point Research Advisory
Incident : Vulnerability ANY3152731110525
Source: Cursor Security Advisory (v1.3)
Incident : Vulnerability ANY3152731110525
Source: Anthropic MCP Standard Documentation
Incident : Vulnerability ANY3152731110525
Source: Pillar Security Analysis on AI Jailbreaks
Incident : Vulnerability Exploitation ANY5853058110525
Source: Check Point Research (CPR) Blog
URL: https://research.checkpoint.com/2025/cursor-ide-persistent-code-execution-via-mcp-trust-bypass/
Incident : Vulnerability Exploitation ANY5853058110525
Source: Technical Details & Demo Video
URL: https://research.checkpoint.com/2025/cursor-mcpoison-demo/
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Oasis Security AnalysisUrl: https://oasis.security/blog/cursor-workspace-trust-vulnerabilityDate Accessed: 2024-10-01, and Source: Checkmarx Report on AI Supply Chain RisksUrl: https://checkmarx.com/blog/ai-driven-development-security-risksDate Accessed: 2024-09-28, and Source: Anthropic Security Advisory (Claude Code)Url: https://anthropic.com/security/prompt-injection-risksDate Accessed: 2024-09-30, and Source: Imperva Blog on AI Security FailuresUrl: https://imperva.com/blog/ai-driven-development-security-gapsDate Accessed: 2024-10-02, and Source: CVE-2025-52882 (WebSocket Auth Bypass)Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52882Date Accessed: 2024-10-01, and Source: CVE-2025-48757 (Lovable Authorization Bypass)Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48757Date Accessed: 2024-09-29, and Source: Check Point Research Advisory, and Source: Cursor Security Advisory (v1.3), and Source: Anthropic MCP Standard Documentation, and Source: Pillar Security Analysis on AI Jailbreaks, and Source: Check Point Research (CPR) BlogUrl: https://research.checkpoint.com/2025/cursor-ide-persistent-code-execution-via-mcp-trust-bypass/, and Source: Technical Details & Demo VideoUrl: https://research.checkpoint.com/2025/cursor-mcpoison-demo/.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Investigation Status: Ongoing (vendor patches pending; community awareness raised)
Incident : Vulnerability ANY3152731110525
Investigation Status: Resolved (Patched)
Incident : Vulnerability Exploitation ANY5853058110525
Investigation Status: Resolved (Patch Released)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosure By Oasis Security/Checkmarx, Anthropic Advisories On Prompt Injection Risks, Imperva Blog On Classical Security Failures In Ai Tools, Public Advisory, Responsible Disclosure Coordination, Public Disclosure Via Blog Post, Technical Details And Demo Video and Recommendations For Mitigation.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Stakeholder Advisories: Developers: Audit Repositories And Enable Workspace Trust., Security Teams: Monitor For Ai Tool Abuses And Supply Chain Attacks., Executives: Assess Organizational Exposure To Ai-Driven Development Risks..
Customer Advisories: Cursor users: Update settings to enable Workspace Trust immediately.Claude Code users: Review security advisories on prompt injection.Open-source maintainers: Audit repositories for malicious `.vscode/` configurations.
Incident : Vulnerability ANY3152731110525
Stakeholder Advisories: Developers Using Cursor < V1.3 Urged To Update Immediately, Organizations Advised To Audit Mcp Configurations In Shared Repositories.
Customer Advisories: Users recommended to review approved MCP configurationsWarning about potential malicious MCP files in collaborative projects
Incident : Vulnerability Exploitation ANY5853058110525
Stakeholder Advisories: Developers Urged To Update Cursor Immediately., Teams Advised To Audit Mcp Configurations In Existing Projects., Organizations Recommended To Review Access Controls For Shared Repositories..
Customer Advisories: Users instructed to apply the July 30, 2025 security update.Warning against approving untrusted MCP configurations.Guidance provided on securing development environments.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Developers: Audit Repositories And Enable Workspace Trust., Security Teams: Monitor For Ai Tool Abuses And Supply Chain Attacks., Executives: Assess Organizational Exposure To Ai-Driven Development Risks., Cursor Users: Update Settings To Enable Workspace Trust Immediately., Claude Code Users: Review Security Advisories On Prompt Injection., Open-Source Maintainers: Audit Repositories For Malicious `.Vscode/` Configurations., , Developers Using Cursor < V1.3 Urged To Update Immediately, Organizations Advised To Audit Mcp Configurations In Shared Repositories, Users Recommended To Review Approved Mcp Configurations, Warning About Potential Malicious Mcp Files In Collaborative Projects, , Developers Urged To Update Cursor Immediately., Teams Advised To Audit Mcp Configurations In Existing Projects., Organizations Recommended To Review Access Controls For Shared Repositories., Users Instructed To Apply The July 30, 2025 Security Update., Warning Against Approving Untrusted Mcp Configurations., Guidance Provided On Securing Development Environments. and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Entry Point: Malicious Repository (Github, Etc.) With Crafted `.Vscode/Tasks.Json`, Prompt Injection Via External Files/Websites (Claude Code), Websocket Connection To Unauthenticated Local Server (Cve-2025-52882),
Backdoors Established: Possible (via persistent malicious tasks or AI model poisoning)
High Value Targets: Developer Workstations, Ci/Cd Pipelines, Cloud Credentials (.Env Files), Proprietary Codebases,
Data Sold on Dark Web: Developer Workstations, Ci/Cd Pipelines, Cloud Credentials (.Env Files), Proprietary Codebases,
Incident : Vulnerability ANY3152731110525
Entry Point: Shared Github Repository, Local Mcp Configuration File,
Backdoors Established: Persistent code execution via modified MCP config
High Value Targets: Development Environments, Intellectual Property, Build Systems,
Data Sold on Dark Web: Development Environments, Intellectual Property, Build Systems,
Incident : Vulnerability Exploitation ANY5853058110525
Entry Point: Compromised Mcp Configuration In Shared Repository,
Backdoors Established: ['Persistent Remote Code Execution via MCP']
High Value Targets: Source Code, Developer Credentials, Internal Documentation,
Data Sold on Dark Web: Source Code, Developer Credentials, Internal Documentation,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Arbitrary Code Execution ANY2753327100225
Root Causes: Insecure Default Settings (Workspace Trust Disabled In Cursor)., Lack Of Input Validation For Ai Tool Integrations (Prompt Injection)., Insufficient Sandboxing For Auto-Executed Tasks/Code., Classical Vulnerabilities In Ai-Adjacent Components (Websocket, Sqli)., Over-Reliance On User Vigilance For Supply Chain Risks.,
Corrective Actions: Cursor: Change Default To Enable Workspace Trust., Anthropic: Enhance Prompt Injection Defenses In Claude Code., Vendors: Patch Websocket/Sqli/Path Traversal Flaws., Industry: Develop Standards For Secure Ai-Assisted Development., Community: Share Indicators Of Compromise (Iocs) For Malicious Repositories.,
Incident : Vulnerability ANY3152731110525
Root Causes: Static Trust Model For Mcp Configurations (One-Time Approval Persisted Indefinitely)., Lack Of Change Detection For Approved Ai Tool Configurations., Over-Reliance On Repository Integrity For Ai Configuration Files., Insufficient Isolation Between Collaborative Code And Ai Tool Configurations.,
Corrective Actions: Implemented Dynamic Re-Approval For Mcp Configuration Changes (Cursor V1.3)., Enhanced Validation Of Mcp File Integrity During Runtime., Added Warnings For Mcp Configurations From Untrusted Sources., Improved Documentation On Secure Mcp Usage In Collaborative Environments.,
Incident : Vulnerability Exploitation ANY5853058110525
Root Causes: Overly Permissive Trust Model For Mcp Configurations., Lack Of Re-Validation For Approved Configurations After Modification., Insufficient Developer Awareness Of Mcp Risks., Automated Workflows Bypassing Manual Security Checks.,
Corrective Actions: Implemented Re-Validation Prompts For Modified Mcp Configurations., Enhanced Logging For Mcp Execution Events., Added Warnings For High-Risk Mcp Operations., Published Security Best Practices For Cursor Users.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Oasis Security (Vulnerability Analysis), Checkmarx (Supply Chain Security Report), , Monitor Ai Tool Interactions (E.G., Claude Code File Edits), Log Websocket Connections In Ide Extensions, , Check Point Research, , Check Point Research (Cpr), , Mcp Configuration Changes, Repository Activity, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Cursor: Change Default To Enable Workspace Trust., Anthropic: Enhance Prompt Injection Defenses In Claude Code., Vendors: Patch Websocket/Sqli/Path Traversal Flaws., Industry: Develop Standards For Secure Ai-Assisted Development., Community: Share Indicators Of Compromise (Iocs) For Malicious Repositories., , Implemented Dynamic Re-Approval For Mcp Configuration Changes (Cursor V1.3)., Enhanced Validation Of Mcp File Integrity During Runtime., Added Warnings For Mcp Configurations From Untrusted Sources., Improved Documentation On Secure Mcp Usage In Collaborative Environments., , Implemented Re-Validation Prompts For Modified Mcp Configurations., Enhanced Logging For Mcp Execution Events., Added Warnings For High-Risk Mcp Operations., Published Security Best Practices For Cursor Users., .
Additional Questions
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-07-16.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-07-30.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-07-31.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive credentials, Source code/files, System configurations (e.g., `/etc/passwd`), Cloud credentials (.env files), Project data (via AI tools like Claude Code), , Potential Intellectual Property Theft, Codebase Compromise, Sensitive Project Data, , Source Code, Local Developer Credentials, Internal Documentation, Access Tokens and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Cursor (AI-powered VS Code fork)Claude Code (Anthropic)Postgres MCP serverMicrosoft NLWebLovable (CVE-2025-48757)Base44Ollama DesktopDeveloper workstations (via malicious repositories) and Cursor AI (versions < 1.3)AI-Assisted Development EnvironmentsLLM-Integrated Workflows and Cursor IDE (AI-Powered Developer Tool)Projects Using MCP Configurations.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was oasis security (vulnerability analysis), checkmarx (supply chain security report), , check point research, , check point research (cpr), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Enable Workspace Trust in CursorAudit repositories before opening in CursorUse alternative editors for untrusted projectsMonitor Claude Code for unexpected data accessSandbox AI-generated test cases, Patch Release (Cursor v1.3)Re-approval Requirement for MCP Configurations, Security Patch (July 30 and 2025)MCP Configuration Validation.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Codebase Compromise, Potential Intellectual Property Theft, Sensitive credentials, Project data (via AI tools like Claude Code), Cloud credentials (.env files), Local Developer Credentials, Internal Documentation, Source Code, Access Tokens, System configurations (e.g., `/etc/passwd`), Source code/files and Sensitive Project Data.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Blind trust in automation undermines security, especially in shared repositories.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Adopt a zero-trust approach to third-party integrations in development tools., Deploy behavioral detection for AI tool interactions (e.g., unexpected code execution)., Educate developers on emerging AI-specific threats (e.g., prompt injection, model poisoning)., Isolate AI tool configurations from shared repositories when possible., Monitor for anomalous behavior in LLM-assisted code generation/outputs., Restrict write access to repositories to authorized personnel only., Educate developers on the risks of automated workflows and social engineering tactics., Adopt zero-trust principles for AI tool integrations in development workflows., Treat MCP files with the same rigor as source code (version control, audits)., Conduct regular security audits of AI/ML supply chain dependencies., Avoid approving MCP configurations without full understanding of their functionality., Implement runtime integrity checks for AI configuration files (e.g., MCP). and Implement continuous monitoring for changes to MCP configurations..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Technical Details & Demo Video, CVE-2025-48757 (Lovable Authorization Bypass), Anthropic MCP Standard Documentation, Check Point Research (CPR) Blog, Imperva Blog on AI Security Failures, CVE-2025-52882 (WebSocket Auth Bypass), Checkmarx Report on AI Supply Chain Risks, Pillar Security Analysis on AI Jailbreaks, Anthropic Security Advisory (Claude Code), Oasis Security Analysis, Cursor Security Advisory (v1.3) and Check Point Research Advisory.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://oasis.security/blog/cursor-workspace-trust-vulnerability, https://checkmarx.com/blog/ai-driven-development-security-risks, https://anthropic.com/security/prompt-injection-risks, https://imperva.com/blog/ai-driven-development-security-gaps, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52882, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48757, https://research.checkpoint.com/2025/cursor-ide-persistent-code-execution-via-mcp-trust-bypass/, https://research.checkpoint.com/2025/cursor-mcpoison-demo/ .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (vendor patches pending; community awareness raised).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Developers: Audit repositories and enable Workspace Trust., Security Teams: Monitor for AI tool abuses and supply chain attacks., Executives: Assess organizational exposure to AI-driven development risks., Developers using Cursor < v1.3 urged to update immediately, Organizations advised to audit MCP configurations in shared repositories, Developers urged to update Cursor immediately., Teams advised to audit MCP configurations in existing projects., Organizations recommended to review access controls for shared repositories., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Cursor users: Update settings to enable Workspace Trust immediately.Claude Code users: Review security advisories on prompt injection.Open-source maintainers: Audit repositories for malicious `.vscode/` configurations., Users recommended to review approved MCP configurationsWarning about potential malicious MCP files in collaborative projects, Users instructed to apply the July 30 and 2025 security update.Warning against approving untrusted MCP configurations.Guidance provided on securing development environments.
Initial Access Broker
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insecure default settings (Workspace Trust disabled in Cursor).Lack of input validation for AI tool integrations (prompt injection).Insufficient sandboxing for auto-executed tasks/code.Classical vulnerabilities in AI-adjacent components (WebSocket, SQLi).Over-reliance on user vigilance for supply chain risks., Static trust model for MCP configurations (one-time approval persisted indefinitely).Lack of change detection for approved AI tool configurations.Over-reliance on repository integrity for AI configuration files.Insufficient isolation between collaborative code and AI tool configurations., Overly permissive trust model for MCP configurations.Lack of re-validation for approved configurations after modification.Insufficient developer awareness of MCP risks.Automated workflows bypassing manual security checks..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Cursor: Change default to enable Workspace Trust.Anthropic: Enhance prompt injection defenses in Claude Code.Vendors: Patch WebSocket/SQLi/path traversal flaws.Industry: Develop standards for secure AI-assisted development.Community: Share indicators of compromise (IoCs) for malicious repositories., Implemented dynamic re-approval for MCP configuration changes (Cursor v1.3).Enhanced validation of MCP file integrity during runtime.Added warnings for MCP configurations from untrusted sources.Improved documentation on secure MCP usage in collaborative environments., Implemented re-validation prompts for modified MCP configurations.Enhanced logging for MCP execution events.Added warnings for high-risk MCP operations.Published security best practices for Cursor users..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.
Risk Information
cvss3
Base: 5.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Description
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results.
Description
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.
Description
A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.
Risk Information
cvss3
Base: 6.0
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
cvss4
Base: 6.0
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
Description
An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions.
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=anysphereinc' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
