Knostic’s newly unveiled assault is analogous in idea, however delivered by way of a malicious MCP server, it expands the assault floor past extensions.
“An MCP server must be handled precisely like VS Code extensions when it comes to security,” Munis mentioned. That’s as a result of MCP servers are primarily downloaded to run in your laptop, and inherit the permissions of the IDE you utilize, he defined.
In his proof-of-concept assault, Munis reveals that an MCP server can inject JavaScript code into the built-in browser that Cursor lately added to permit builders to visually take a look at modifications to their software code and to permit Cursor’s AI agent to robotically carry out duties that require shopping. Utilizing this system, Munis changed the browser’s actively displayed web page with a log-in immediate, like in a phishing state of affairs, however with out the URL ever altering — in different phrases, injected code’s modifications occur on the fly.
