Hi,
Our organization is currently considering Cursor Pro subscriptions for our developers. However, a security concern was raised today based on this article:
Just wanted to check if the team is aware of this issue, and whether a fix or update is already in the works?
Thanks in advance!
Hi there,
while Iâm not part of Cursor team, I also care about security.
If you read the original article by socket dot dev, in order for their reported NPM packages to be exploited it requires users to install shady NPM packages. It is not a supply chain threat but a threat for users who fall for âcheaper than originalâ type of scams.
This is not really an issue for Cursor users who do not install those packages and therefore do not hack their Cursor IDE. As you run Cursor under your own user, you have direct access to all the data and files. This is normal for any IDE.
There are known cases of non-official Cursor installers which were made by others to provide a cheaper (shared) access to Cursor. As with any hacked installers, using them can only be harmful, so its best to use offical download installer.
This is an NPM issue, and it seems that socket dot dev provides that risk management as an service.
@danperks can perhaps have a look
What type of fix are you hoping they will release? Malicious NPM packages are an NPM issue and not a Cursor issue because other than taking steps to make the community aware of the risk there is no direct integration and the packages are controlled by third-party developers.
âSupply chainâ attacks against NPM package repos are going to be a concern for all of your development efforts not just when you or your team are using Cursor but basically whenever youâre working within the Node ecosystem (and potentially with any other package manager for any language).
https://cybernews.com/security/node-developers-targeted-by-malware-in-npm-packages/
The only advice I can offer is to take steps to verify the integrity and security of any NPM packages your development team wants to use and to then whitelist only the ones you know are safe. Itâs a pain but given the attack vector is very broad, the only way to be somewhat sure youâre not inadvertently introducing gaps in your cybersecurity defenses.
Thanks for bringing this to our attention! The other responses here are spot on. These malicious packages are not a vulnerability in Cursor itself, but rather third-party npm packages trying to impersonate Cursor tools
The only safe way to get Cursor is through our official channel:
We take security very seriously at Cursor. You can read about our security practices here:
For organizations considering Cursor Pro, we recommend: