A critical unpatched security vulnerability has been discovered in Cursor, a widely-used AI-powered code editor for macOS, which allows malicious actors to bypass Apple’s Transparency, Consent, and Control (TCC) privacy framework. The vulnerability arises from the misuse of Electron’s RunAsNode fuse, a configuration that enables the app to run as a Node.js process, inadvertently granting attackers the ability to execute arbitrary code using the app’s own elevated privacy permissions. This flaw allows malware to access sensitive system resources such as the Documents, Downloads, and Desktop folders, along with cameras and microphones, without triggering standard user consent prompts enforced by macOS.

The issue was discovered by security researchers, who were investigating potential TCC bypass methods in third-party macOS applications. Their analysis revealed that the vulnerability allows Cursor to be exploited as a trusted intermediary, effectively cloaking malicious activity under the guise of a legitimate app. When exploited, malware can inherit the Cursor’s TCC permissions and perform unauthorized actions like capturing screenshots, recording audio, or accessing confidential files. These actions can occur silently or via social engineering techniques that present fake permission prompts, fooling users into unknowingly granting access.

The exploitation technique hinges on the ELECTRON_RUN_AS_NODE environment variable and involves placing a malicious Launch Agent in the ~/Library/LaunchAgents/ directory. This agent can execute arbitrary JavaScript by launching Cursor with the -e flag followed by a payload—for instance, using Node’s child_process module to list the contents of the user’s Documents folder and exfiltrate it. A key aspect of the vulnerability is that the system treats this as a legitimate request from Cursor, bypassing normal security checks and giving attackers stealthy access to protected data without the user's awareness.

Despite being responsibly disclosed, the Cursor development team dismissed the flaw, claiming it “falls outside their threat model” and expressed no intent to fix it. This negligent stance has led to the public disclosure of the vulnerability to alert users and encourage informed decisions about the continued use of Cursor. The combination of Cursor’s rising popularity, its integration with AI-driven development workflows, and its ability to act as a trusted proxy for malicious code execution significantly increases the threat surface, making it an appealing target for attackers aiming to infiltrate developer environments and potentially inject harmful code into software projects.