Cursor’s autorun lets hackers execute arbitrary code

Cursor's AI-powered code editor contains a critical security flaw allowing hackers to execute malicious code automatically when developers open folders. The vulnerability exists because Workspace Trust is disabled by default, letting attackers craft repositories with hidden autorun tasks that can steal API keys, cloud credentials, and sensitive data without any user prompt or warning. This issue represents another case where user convenience trumped security, potentially enabling organization-wide compromises through a simple "open folder" action.