Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
Related Async-api github bug report in the Open VSX Registry (v1.0.1; Last released 2025-11-24, 00:36:47)
What the worm does: Scrapes local machine for secrets; installs backdoors; tries to self-propogate through Github to other repos. All the nasty stuff.
In particular, because @asyncapi/specs and @asyncapi/modelina — two core packages of the AsyncAPI ecosys@asyncapiem — are af@asyncapiected, any VSCode extension that wraps or uses those packages (for example to preview AsyncAPI specs) is at risk. Indeed you suspected correctly that asyncapi-preview could be aff@zapiercted.
Also
- @zapier/zapier-sdk versions 0.15.5, 0.15.6, 0.15.7
- Numerous pac@postmanages@zapierunder the @postman scope (postman-node-keytar, postman-tunnel-agent, pm-bin, etc.)@postman
- Other packages such as posthog-node, posthog-react-native, quick-markdown-print and related “quick-” tools.
In total the campaign compromised “~700 npm packages” according to one vendor summary.
More infos about the worm:
- Sha1-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposed | Wiz Blog
- Shai-Hulud 2.0 npm Supply Chain Attack Technical Analysis — Real-time Open Source Software Supply Chain Security
Steps to Reproduce
Don’t install infected marketplace extensions such as asyncapi-preview 
Operating System
MacOS
Current Cursor Version (Menu → About Cursor → Copy)
Version: 2.1.39
VSCode Version: 1.105.1
Commit: 60d42bed27e5775c43ec0428d8c653c49e58e260
Well, all of em, as it is extension related.
Does this stop you from using Cursor
No - Cursor works, but with this issue