New "Agentjacking" Attack Exploits AI Coding Agents to Execute Malicious Code A novel cyberattack dubbed "Agentjacking" has emerged, allowing threat actors to hijack AI-powered coding assistants such as Claude Code and Cursor and silently execute attacker-controlled code on developers' machines. The attack requires no phishing, malware delivery, or infrastructure breach, relying instead on a single injected Sentry error to compromise systems. The exploit leverages Sentry’s public Data Source Name (DSN), a write-only credential commonly embedded in frontend JavaScript and indexed across the web. By manipulating this credential, attackers can turn trusted AI agents into an execution layer for malicious commands, bypassing traditional security measures. The attack highlights critical risks in autonomous AI tools operating with full user privileges outside sandboxed environments. While the technique does not require direct access to a victim’s infrastructure, it underscores vulnerabilities in how AI assistants interact with external error-tracking systems. Security researchers warn that this method could enable unauthorized code execution at scale, posing significant threats to developers and organizations relying on AI-driven workflows. The incident raises concerns about the security posture of AI integrations in software development pipelines.

Critical Vulnerability in Cursor AI IDE Exposes Developers to Arbitrary Code Execution Researchers from threat hunting firm Novee uncovered a high-severity vulnerability (CVE-2026-26268, CVSS 8.1) in Cursor, a popular AI-powered Integrated Development Environment (IDE). The flaw enables attackers to execute arbitrary code on a developer’s machine simply by tricking them into cloning a malicious repository. Unlike traditional exploits, this vulnerability stems from how Cursor’s AI agent interacts with Git, rather than a bug in the IDE’s core logic. Attackers exploit Git hooks scripts that run automatically during version control tasks by embedding a malicious pre-commit hook in a nested bare repository (a hidden folder containing version control data). When Cursor’s AI performs routine operations like a git checkout, it unknowingly triggers the hook, executing the attacker’s code without user interaction or warnings. The risk is amplified by AI agents’ growing autonomy. Unlike past client-side attacks requiring user action (e.g., clicking a link), this exploit leverages Cursor’s ability to automate tasks on untrusted code, making it scalable and stealthy. Since developers routinely clone public repositories, the attack surface expands as AI tools process external code without oversight. Novee disclosed the flaw to Cursor’s developers under responsible disclosure, leading to a patch in February 2026. Details were publicly released on April 28, 2026. The incident highlights a broader security concern: AI-powered coding assistants operate in high-privilege environments, often handling sensitive data like access tokens, passwords, and proprietary code. Security teams are now urged to audit these tools, as traditional assumptions about their safety may no longer hold.

North Korean Hackers Leverage AI to Steal $12 Million in Cryptocurrency Cybersecurity firm Expel has uncovered a North Korean state-sponsored hacking campaign that exploited AI tools to orchestrate a large-scale cryptocurrency theft operation. The group, dubbed HexagonalRodent, targeted over 2,000 developers working on cryptocurrency, NFT, and Web3 projects, using AI-generated malware and phishing infrastructure to siphon an estimated $12 million in just three months. Unlike highly sophisticated cybercrime syndicates, HexagonalRodent relied on AI platforms including OpenAI, Cursor, and Anima to compensate for its lack of technical expertise. The hackers used these tools to write malware, design fake company websites, and craft phishing lures, particularly fraudulent job offers aimed at developers. Victims were tricked into downloading malware-laced coding assignments, which stole credentials and, in some cases, crypto wallet keys. Security researcher Marcus Hutchins, who identified the group, noted that the operation’s success stemmed not from advanced hacking skills but from AI’s ability to automate tasks that would otherwise require significant technical knowledge. The hackers’ reliance on AI was evident in their malware, which included unusual features like excessive English-language comments and emoji-littered code hallmarks of large language model-generated software. Despite their effectiveness, the group left critical infrastructure exposed, revealing their AI prompts and a database tracking victim wallets. While the $12 million figure represents the total value of compromised wallets, researchers could not confirm whether all funds had been drained, as some wallets may have been protected by hardware security tokens. The campaign underscores how AI is lowering the barrier to entry for cybercriminals, enabling even low-skilled actors to execute high-impact attacks.

Bitwarden CLI Compromised in Supply Chain Attack Targeting npm On April 22, 2026, attackers briefly compromised the Bitwarden CLI by uploading a malicious version of the `@bitwarden/cli` npm package (version 2026.4.0). The package, available between 5:57 PM and 7:30 PM ET, contained a credential-stealing payload designed to spread to other projects. Bitwarden confirmed the incident, stating the breach was limited to its npm distribution channel and did not affect end-user vault data, production systems, or the legitimate CLI codebase. The company revoked compromised access, deprecated the malicious release, and initiated remediation. ### Attack Details Security firms Socket, JFrog, and OX Security reported that threat actors likely exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code. The package included a preinstall script and a custom loader (`bw_setup.js`) that checked for the Bun runtime downloading it if absent before executing an obfuscated JavaScript file (`bw1.js`). The malware targeted: - npm and GitHub authentication tokens - SSH keys - Cloud credentials (AWS, Azure, Google Cloud) Stolen data was encrypted with AES-256-GCM and exfiltrated via public GitHub repositories under victims’ accounts, marked with the string "Shai-Hulud: The Third Coming" a reference to prior npm supply chain attacks. The malware also had self-propagating capabilities, using stolen credentials to inject malicious code into other packages. ### Connections to Other Attacks The attack shares infrastructure and malware overlaps with a recent Checkmarx supply chain breach, including: - The same telemetry endpoint (`audit.checkmarx[.]cx/v1/telemetry`) - Identical obfuscation routines (`__decodeScrambled` with seed `0x3039`) - Similar credential theft and GitHub-based exfiltration tactics Both campaigns have been attributed to TeamPCP, a threat actor previously linked to attacks on Trivy and LiteLLM. Bitwarden’s investigation found no evidence of broader compromise, but developers who installed the affected version were advised to rotate exposed credentials, particularly those tied to CI/CD pipelines and cloud environments.

New Supply Chain Attack Targets AI Developers with Malicious npm Package A sophisticated supply chain attack emerged on March 20, 2026, when a threat actor published a malicious npm package, gemini-ai-checker, under the account gemini-check. Marketed as a utility to verify Google Gemini AI tokens, the package contained hidden malware designed to steal credentials, files, and tokens from AI coding environments. The package’s README mimicked a legitimate JavaScript library, chai-await-async, though the two were unrelated a red flag many developers overlooked. Upon installation, the malware silently contacted a Vercel-hosted staging server (server-check-genimi.vercel.app) to download and execute a JavaScript payload directly in memory, evading traditional security tools. The attack was traced to OtterCookie, a JavaScript backdoor linked to the Contagious Interview campaign, attributed to North Korean (DPRK) threat actors. Microsoft documented a similar variant in March 2026, active since October 2025. The same actor maintained two additional malicious packages express-flowlimit and chai-extensions-extras sharing the same Vercel infrastructure. By publication, the three packages had been downloaded over 500 times combined, with gemini-ai-checker removed just before April 1, 2026, while the others remained active. This campaign uniquely targeted AI developer tools, including Cursor, Claude, Windsurf, PearAI, Gemini CLI, and Eigent AI, extracting API keys, conversation logs, and source code. The malware also stole browser credentials and cryptocurrency wallets, including MetaMask and Exodus. The infection mechanism was designed to evade detection. The package included 44 files and four dependencies, appearing legitimate with a SECURITY.md file. A hidden libconfig.js file split the command-and-control (C2) configuration into fragments, reassembled at runtime by libcaller.js to fetch the payload. The malware executed in memory using Function.constructor instead of eval to bypass static analysis. Once active, the payload deployed a four-module architecture, each running as a separate Node.js process connected to 216.126.237.71 on dedicated ports. Module 0 established remote access via Socket.IO, Module 1 targeted browser databases and cryptocurrency wallets, Module 2 scanned for sensitive files in AI tool directories, and Module 3 monitored the clipboard with a delayed startup to avoid sandbox detection. Defenders were advised to monitor outbound connections to Vercel and use Microsoft’s KQL queries to detect suspicious Node.js behavior. The incident underscored the risks of unverified npm packages and the need to treat AI tool directories with the same caution as sensitive system folders.

Open VSX Marketplace Vulnerability Allowed Malicious Extensions to Bypass Security Scans A critical vulnerability in the Open VSX extension marketplace’s pre-publish scanning pipeline, dubbed "Open Sesame," allowed malicious extensions to bypass security checks and be published as "PASSED." The flaw was responsibly disclosed on February 8 and patched by February 11, demonstrating both the severity of the issue and the Open VSX team’s rapid response. Open VSX, used by platforms like Cursor and Windsurf as an alternative to Microsoft’s VS Code extension registry, introduced the scanning pipeline to detect malware, embedded secrets, suspicious binaries, and name-squatting attempts. The system required extensions to pass both synchronous and asynchronous scans before activation unless a scan failed, in which case the extension would be quarantined. However, a logic flaw in the scanning service’s boolean return value created a "fail-open" scenario. The system could not distinguish between no scanners configured (a valid case) and all scanner jobs failing (an error condition). Under heavy load, scan jobs would fail silently, and the system would interpret the ambiguous return value as "nothing to scan," automatically approving the extension. Exploiting the vulnerability required no special privileges any user with a free publisher account could trigger it by flooding the publish API with malicious extensions. Each upload would exhaust shared database resources, causing scan jobs to fail without being registered. The system then treated the failure as a successful scan, publishing the extension as verified. The impact was significant: malicious extensions could appear legitimate, posing a supply chain risk to developers. The Open VSX team addressed the issue by removing the ambiguous boolean logic and ensuring explicit failure handling, preventing automatic approvals when scans fail. This incident underscores the dangers of fail-open design in security systems, where ambiguous error handling can collapse critical safeguards under stress. The fix reinforces the principle that security-sensitive workflows should default to denial, not approval, when failures occur.

A critical security vulnerability was discovered in Cursor, an AI-powered fork of Visual Studio Code, where a disabled-by-default Workspace Trust setting allowed arbitrary code execution when a maliciously crafted repository was opened. Attackers could exploit this by embedding hidden autorun instructions in `.vscode/tasks.json`, triggering silent code execution upon folder opening. This flaw exposed users to supply chain attacks, risking sensitive credential leaks, unauthorized file modifications, or broader system compromise. The issue stemmed from Cursor’s default configuration, which prioritized convenience over security, leaving developers vulnerable to deceptive repositories hosted on platforms like GitHub. While mitigations (e.g., enabling Workspace Trust, auditing untrusted repos) were advised, the flaw highlighted systemic risks in AI-driven development tools, where classical security oversights (e.g., misconfigurations, missing sandboxing) amplify attack surfaces. The vulnerability underscored the broader trend of prompt injection and jailbreak risks in AI coding assistants, where malicious actors exploit trust gaps to bypass security reviews or execute unauthorized code.

The AI-powered developer tool Cursor was found to have a critical vulnerability (CVE-2025-54136, dubbed MCPoison), allowing attackers to permanently inject malicious code into development projects via its Model Context Protocol (MCP) system. Once a seemingly harmless MCP configuration is approved by a developer, attackers can later replace it with malicious commands. The modified code executes automatically every time the project is opened, without further warnings or approvals, creating a persistent backdoor. This flaw enables unauthorized access to sensitive data (e.g., credentials, internal documents) stored locally by developers, intellectual property theft through source code manipulation, and compromise of collaborative environments—especially in startups and research teams where Cursor is widely used. The vulnerability exploits blind trust in AI-driven automation, turning convenience into a long-term security risk. While a patch was released on July 30, 2025, the exposure period left organizations vulnerable to stealthy, continuous attacks with potential for large-scale data breaches or supply-chain compromises if exploited in shared repositories.

A high-severity vulnerability (CVE-2025-54136, CVSS 7.2), dubbed MCPoison, was discovered in Cursor’s AI-powered code editor, enabling remote and persistent code execution via manipulated Model Context Protocol (MCP) configurations. Attackers could exploit this by embedding a benign MCP config in a shared GitHub repository, waiting for victim approval, then silently replacing it with malicious payloads (e.g., backdoors, scripts like `calc.exe`). The flaw stemmed from Cursor’s trust model, which indefinitely trusted approved configs even after modification, exposing organizations to supply chain risks, data theft, and intellectual property exfiltration without detection. The issue was patched in Cursor v1.3 (July 2025) by enforcing re-approval for MCP config changes. However, the vulnerability underscored broader risks in AI-assisted development, including AI supply chain attacks, model poisoning, and unsafe code generation. Research highlighted that 45% of LLM-generated code (Java worst at 72%) introduced OWASP Top 10 vulnerabilities, while novel attack vectors like LegalPwn (prompt injection via legal disclaimers), Man-in-the-Prompt (rogue browser extensions), and MAS hijacking (multi-agent system compromise) further demonstrated systemic weaknesses in AI security paradigms. The flaw’s exploitation could lead to unauthorized data access, lateral movement, and persistent compromise of developer workflows, amplifying risks for enterprises integrating LLMs into critical systems.