Press release. CursorJack, a method to potentially abuse Cursor MCP deeplinks, could allow code execution or installation of a malicious remote MCP serveraccording to research by the cybersecurity company Proofpoint.
An MCP server is a standardized program that links AI with tools, APIs, databases and local files, to access data and perform actions securely, without having to integrate each tool individually. Deeplinks, meanwhile, are custom URL schemes to direct users to specific pages within an application. The Cursor IDE implements MCP deeplinks for quick installation of MCP servers, which are capable of creating a new attack vector in AI development tools.
The proliferation of AI coding assistants has normalized approval requests, and Cursor executes commands with user privileges when users accept the installation request. IDEs that support MCP servers are typically deployed on developer workstations that may have privileged access, including API tokens, cloud credentials, source code, and access to production systems.
“As users are encouraged to adopt AI, many are writing and running code for the first time without fully understanding the security implications, which makes developers a target for cybercriminals”point out the Proofpoint researchers.
Deeplinks can use any name, which can be used to impersonate legitimate MCP servers, such as Azure DevOps, through social engineering, without verification that the deeplink originates from the declared provider. It is up to the users to review the parameters before approving. EDR controls, permission lists, and operating system policies can limit or block abuse depending on configuration.
The malicious behaviors analyzed by Proofpoint correspond to test environments and do not imply silent or zero-click exploitation by default. In their research, a single click followed by the user’s acceptance of an installation request executed arbitrary commands, which “underscores the urgent need to secure agentic AI environments”declare the experts.
For Proofpoint, the MCP ecosystem requires security enhancements embedded directly into its architecture, rather than relying on additional security tools or user surveillance as a primary defense. Deeplinks from untrusted sources should be treated with the same caution as untrusted executables. Approval flows should incorporate granular security warnings and origin verification to help users distinguish deeplinks from trusted and untrusted locations.
A trusted ecosystem with verified signatures and publishers for MCP servers, analogous to those for browser extensions or app installers, would establish the authenticity of the server. Additionally, a robust code signing mechanism would ensure that users can verify the source and integrity of servers before installation, creating a marketplace-like environment for trusted MCP integrations.
