Serious macOS issue: ASafari folder + Dock Safari replaced/force‑closed after enabling Cursor terminal access

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Hi Cursor team,
I’m running into a serious and repeatable issue on macOS that seems tied to Cursor once I allow the AI agent to use Terminal (for Xcode builds/debug). It affects Safari in a way that looks very similar to malware behavior.

What happens:
• A folder named ASafari appears on my system. Inside there is a small Safari.app (~2.4 MB) plus several Safari‑related .db files.
• In System Settings → General → Login Items, I see a background item called “bash”, shown as “Item from unidentified developer”.
• The Safari icon in the Dock gets silently switched to that small Safari app from the ASafari folder.
• If I delete the ASafari folder and fix the Dock to point back to the real Safari, everything works again – until I open Cursor.
New / more severe behavior

Today I noticed something worse:

1. I removed the ASafari folder, fixed the Dock back to the original Safari, and rebooted.
2. After the reboot, I worked with Safari for a while – everything was fine.
3. Then I launched Cursor.
4. A few moments after Cursor started, Safari closed by itself.
5. When I tried to reopen Safari, it was again the “empty” Safari from the ASafari folder, and the ASafari folder had reappeared.
   So simply opening Cursor is enough to reliably trigger:
   • Safari being force‑closed.
   • The Dock Safari icon being switched back to the small Safari app.
   • The ASafari folder being recreated.
   I can reproduce this sequence multiple times.

Steps to Reproduce

How to reproduce (on my machine)

1. Fresh macOS reinstall – system is clean, no ASafari, Safari behaves normally.
2. Install Cursor (no unusual configuration, used basically out‑of‑the‑box).
3. Grant the Cursor AI agent Terminal permissions, so it can run Xcode builds and debug.
4. Use Cursor for visionOS development (Xcode builds/debug).
5. At some point after using Cursor, the following happens:
   • ASafari folder appears with its own small Safari.app.
   • A background item named “bash” appears in Login Items as “Item from unidentified developer”.
   • Dock Safari points to the small Safari from ASafari.
6. Remove ASafari, fix Dock Safari back to the original, reboot – Safari works normally again.
7. Open Cursor → within a short time Safari closes on its own, and when I open it again, I’m back to the small Safari + ASafari folder is recreated.

Operating System

MacOS

Version Information

Version: 2.4.27 (Universal)
VSCode Version: 1.105.1
Commit: 4f2b772756b8f609e1354b3063de282ccbe7a690
Date: 2026-01-31T21:24:58.143Z
Build Type: Stable
Release Track: Default
Electron: 39.2.7
Chromium: 142.0.7444.235
Node.js: 22.21.1
V8: 14.2.231.21-electron.0
OS: Darwin arm64 25.2.0

For AI issues: which model did you use?

GPT‑5.2 High Max

Additional Information

What I already tried
• Disabled the “bash” background item in Login Items.
• Deleted the ASafari folder multiple times.
• Reset the Dock icon to the original Safari.
• Clean reinstall of macOS before all of this (issue disappears after reinstall, returns only after using Cursor with agent Terminal access).

Despite that, as soon as I start Cursor again, the problem comes back exactly the same way.

How I use Cursor
• I use Cursor mostly out of the box – no exotic settings or custom plugins.
• I enabled the agent’s Terminal access so it can run and debug Xcode projects directly, which is important for visionOS development.
• Model selected in Cursor: GPT‑5.2 High Max.

No other dev tools have special hooks into Safari as far as I know.

Why I’m worried

From a user perspective this is indistinguishable from malware:
• A fake/alternate Safari appears.
• A background item called “bash” from an unidentified developer is added.
• Safari is force‑closed when I open Cursor and replaced by the alternate version.
• The behavior survives reboots and only disappears after manual cleanup, but re‑appears as soon as Cursor is used again.

Given that I only see this after using Cursor (and after granting Terminal access), I strongly suspect some helper/agent process is involved, or something in the toolchain Cursor is using.

Questions:

1. Does Cursor install any helper or background process that could appear as a Login Item named “bash”?

2. Is Cursor expected to create an ASafari folder or its own Safari.app bundle anywhere on disk?

3. Could any part of Cursor’s agent / debugging flow be hooking or wrapping Safari (e.g. for web previews or auth), and accidentally leaving behind this ASafari setup?

4. What logs or diagnostics would be most useful for you to narrow this down (without exposing tokens or private data)?
   • I’m happy to run specific commands (e.g. to list LaunchAgents, running processes, code signatures of the small Safari, etc.) if you can provide a checklist.
   I can attach screenshots showing:
   • The ASafari folder contents including the small Safari.app.
   • The Login Item “bash – Item from unidentified developer”.
   • The Dock before and after Cursor is launched.

   Any help or guidance would be greatly appreciated – at the moment I basically can’t trust my Safari install whenever Cursor is running.

Does this stop you from using Cursor

Yes - Cursor is unusable

Hey, thanks for the detailed report. This is serious.

Just to be clear: Cursor does not create Safari app bundles, folders like “ASafari”, or add login items. What you’re describing isn’t part of normal functionality.

To figure this out, we’ll need some diagnostics:

1. Path to ASafari: where exactly does this folder appear? (~/ASafari? /Applications/ASafari? somewhere else?)

2. Code signature of that Safari.app:

   codesign -dv --verbose=4 /path/to/ASafari/Safari.app
   

3. LaunchAgents:

   ls -la ~/Library/LaunchAgents/
   ls -la /Library/LaunchAgents/
   

   And the contents of any suspicious plist files

4. Which extensions are installed in Cursor? (Cmd+Shift+P > Extensions: Show Installed Extensions)

5. What did the agent run in the terminal? If you have chat history where the agent ran commands, that’ll help us see if there was anything that could’ve triggered this

I’ll pass this to the security team as soon as I get the diagnostics. For now, I recommend temporarily not using terminal access for the agent.

Hi,thanks, I agree this is serious and I appreciate you escalating it to the security team.

ASafari location

• The folder is here on my machine:
  /Users/<redacted>/Library/ASafari/Safari.app

Code signature
Output of:
codesign -dv --verbose=4 /Users/<redacted>/Library/ASafari/Safari.app

Executable=/Users/<redacted>/Library/ASafari/Safari.app/Contents/MacOS/Safari
Identifier=com.apple.safari
Format=app bundle with generic
CodeDirectory v=20100 size=193 flags=0x2(adhoc) hashes=1+3 location=embedded
Hash type=sha256 size=32
CDHash=799b9995bdd96a03fccff0038f75986d701990b9
Signature=adhoc
TeamIdentifier=not set
Info.plist entries=24
Sealed Resources version=2 rules=13 files=7

Cursor extensions

• No extensions installed (Extensions: Show Installed Extensions shows none).

Agent / terminal history

• I don’t see any terminal session logs recorded under the project’s Cursor “terminals” folder (it was empty in the agent transcript), so I don’t currently have a definitive “agent ran X commands” history to share.
• I can share the relevant Cursor agent transcript files I have on disk if that helps correlate timing.

Regarding launch agents

No relevant info from terminal commands, just the Adobe stuff. But I also deactivated this suspicious bash:

If you have a preferred way to collect evidence (e.g., exact filenames/patterns you want, or whether you want a zipped bundle), tell me and I’ll follow that exactly.