Snyk security researcher deploys malicious NPM packages targeting cursor.com

cursor dev here. reasonable assumptions, but not quite the case. the snyk packages are just the names of our bundled extensions, which we never package nor upload to any registry. (we do it just like how VS Code does it: https://github.com/microsoft/vscode/tree/main/extensions)

we did not hire snyk, but we reached out to them after seeing this and they apologized. we did not get any confirmation of what exactly they were trying to do here (but i think your explanation that someone there suspected a dependency confusion vulnerability is plausible. though it's pretty irresponsible imo to do that on public npm and actually sending up the env variables)

> If that's the case, then there's not much to see here

They could have demonstrated the POC without sending data about the installing host, including all your environment variables, upstream. That seems like crossing the line

> If that's the case, then there's not much to see here.

Allowing someone full access to the contents of your environment (i.e. output of env command) is a big deal to most, I suspect.

Hey there! I run DevRel & SecRel @ Snyk, we just published a piece to help dispel all the rumors, etc. This provides a lot of in-depth info on the situation: https://snyk.io/blog/snyk-security-labs-testing-update-curso...

Wasn't this supposed to be fixed in NPM? I remember a talk by the researcher behind portswigger (sorry blanking on his name) doing this a while back, with great success (apple,ms,meta, basically all faang were vulnerable at that time).

Given how all my interactions with them have been extremely negative (see my other comment), I think it's rather likely that there is foul play.

Vagrant’s popularity seems to have died down with Docker containers but it’s by far my favorite way to make dev environments.

Several years ago I worked somewhere that prohibited web browsers and development tools on laptops. If you needed to use a browser, you’d have to use one over Citrix. If you needed to code, you’d use a VDI or run the tools in a VM.

At the time I thought their approach was clinically insane, but I’m slowly starting to appreciate it.

The real problem is video performance in VMs. It still just...kind of sucks. Running Cinnamon in a VM is just about impossible to get GL acceleration working properly.

nvidia gates it's virtualized GPU offerings behind their enterprise cards, so we're left with ineffective command translation.

IMO: I can tolerate just about every other type of VM overhead, but choppy/unresponsive GUIs have a surprisingly bad ergonomic effect (and somehow leak into the performance of everything else).

If we could get that fixed, at least amongst Linux-on-Linux virtualization, I think virtualizing everything would be a much more tenable option.

It's horrible that trust is being eroded so much, and seeing monthly GB updates to my OS doesnt reassure me at all. I like the idea of having a stable isolated VM for each project. Are there standard open-source tools to do this?

Specifically I'm transitioning my Go and Zig development environments from an old mac to an M1 with Asahi Linux and getting a bit lost even finding replacements for Truecrypt and Little Snitch. Do these VM tools support encrypted VM's with firewall rules? I saw Vagrant mentioned here and that sounds like it might cover the network isolation, but what else would you suggest?

I know where you are coming from and I considered this myself again and again. For me and for now it is not something I want to do and not primarily because of the effort.

The VM might protect me, but it will not protect the users of the software I am producing. How can I ship a product to the customer and expect them to safely use it without protection when I myself only touch it when in a hazmat suit?

No, that is not the environment I want.

My current solution is to be super picky with my dependencies. More specifically I hold the opinion that we should neither trust projects nor companies but only people. This is not easy to do, but I do not see a better alternative as for now.

i develop on linux, on various projects. i'm mostly concerned with all the tools, build scripts and tests that may read sensitive data, or accidentally destroy data. so i'm limiting access to files when working on a project with linux namespaces, using bubblewrap.

i've got a simple per-project dot file that describes the file system binds. while i'm working on a project, new terminals i open are automatically isolated to that project based on that dot file. it has very low (cognitive) overhead and integrates pretty much seamlessly. i suspect many developers have similar scripts. i looked for projects that did this some time ago, but couldn't find it. either because it's too simple to make a project about, or because i don't know how others would describe it. if anyone has pointers...

i don't limit network access (though i did experiment with logging all traffic, and automatically setting up a mitm proxy for all traffic; it wasn't convenient enough to use as regular user). there is still a whole kernel attack surface of course. though i'm mostly concerned about files being read/destroyed.

Time to main Qubes OS on your development machine. https://www.qubes-os.org/

I think a lot of the issues in this particular example is the ease with which api keys, once leaked, are single factor passwords.

If you ran a key logger on my machine you would never get into any major site with mfa. You couldn't watch me log on to the azure console with passkey and do much with it. But if you scrape a saved key with publish abilities bad things happen.

I wonder how this is mitigated by my current workflow of running jupyter and vscode from a docker container.

I did not start doing this because of security, but just to get something more or less self managed without any possibility to break different projects. I am tired of my team spending too much time on extensions, versions, packages, ...

Docker compose files have saved our team many hours, even if it's extremely wasteful to have multiple vscode instances running alongside each other

I started doing development under a separate non-admin user on my MacBook. I switch to another user for personal stuff, or the admin user to install stuff with Homebrew. Doesn't protect from zero days but it's better than nothing.

I just stick to using whatever is on my distribution for personal use.

For work use I use a work machine and if it gets compromised it's not really my own problem.

The security, and overall application stability attack vector, is why I now vouch for processes with OS IPC instead of shared libraries, even if it requires more resources.

It doesn't fully sort out the trust issue though, even if everything is sandboxed in some fashion.

I wonder how long until this is standard, and PFYs coming into the industry look at our current practices much like people now look at non-encrypted credentials being sent over the network.

Why would you do anything but work related activities on a work machine. If you really want trust for software. Don’t use a computer.

>If you're pulling in a package that has 400 dependencies, how the heck would you even competently check 10% of that surface area?

This would be where different security advice would apply: don't pull in a package that has 400 dependencies.

This is really where SELinux had the right idea overall: preclassifying files with data about their sensitivity, and denying access based on that, does adequately solve this problem (i.e. keeping npm installations away from id_rsa).

Wait how in the world does a React carousel component have over 400 deps…

> If you're pulling in a package that has 400 dependencies, how the heck would you even competently check 10% of that surface area?

At my place of work we use this great security too called Snyk. Definitely check it out

/s

They also penalize libraries that are "done," and require minimal development.

Completely backwards software that corpos only seem to buy because their insurers force them to check off some security list box.

"insulted me over email" - whoa, that's wild, do you still have the email? would be fun to see it :D

That's extremely unfortunate, especially about the "abandoned" labelling. I've been looking to move off GitHub recently as well, it feels like it's got a bit too much control.

Codeberg looks interesting, and there are self-hosted ones like Forejo that also look great if you're okay with the maintenance.

> hey also mark projects as "abandoned" if they move to any other forge that isn't github. And they stay abandoned even if new releases appear on npm/pypi :D

Well theres a sign of a good team.. /s

That's actually an interesting take, I haven't heard too much about them except that they do have an ego.

I'm sure you can provide the body of the [appropriately redacted] said email?

Why not? NPM behaves oddly when there is a public package named the same as one on a private repo, in some cases it’ll fetch the public one instead. I believe it’s called package squatting or something. They might have just been showing that this is possible during an assessment. No harm no foul here imo

It's not white hat because they actively extract data; if it was just to prove it worked they could've done a console.log, cause npm install to fail, or not extract a payload.

It's not just NPM, it's the trust in third party libraries in general. Even though it's much rarer, you'll see exploits on platforms like Nuget. You're also going to see them on JSR. You have more security because they are immutable, but you're not protected from downloading a malicious pacakge before it's outed.

I think what we're more likely to see is that leglislation like DORA and NSIS increasinly require that you audit third party packages. This enforcing a different way of doing development in critical industries. I also think you're going to see a lot less usage of external packages in the age of LLM's. Because why would you pull an external package to generate something like your OpenAPI specification when any LLM can write a cli script that does it for you in an hour or two of configuring it to your needs? Similarily, you don't need to use LLM's directly to auto-generate "boring" parts of your code, you can have them build cli tools which does it. That way you're not relying on outside factors, and while I can almost guarantee that these cli tools will be horrible cowboy code, their output will be what you refine the tools to make.

With languages like Go pushing everything you need in their standard packages, you're looking at a world where you can do a lot of things with nothing but the standard library very easily.

Snyk is founded by people from the Israeli Army's Unit 8200.

I wouldn't install it if you paid me to, because it feels a lot like Unit 8200 pumps out entrepreneurs and funds them so that (like the NSA) they have their foot already in the door.

Got better results with Syft

Lots of false positives IME

Spraying your attack into the public with hopes of hitting your target is the polar opposite of responsible. The only "good" part of this is that you were caught in the act before anyone else got hit in the crossfire.

In response, you suggest that you'll send a letter of apology to the funeral home of anyone that got hit. Compromising their credentials, even if you have "good intentions", still puts them into a compromised position and they have to react the same as they would for any other malevolent attacker.

This is so close to "malicious" that it's hard to perceive a difference.

edit: Let's also remind everyone that a Snyk stakeholder is currently attempting to launch a Cursor competitor, so assuming good intentions is even MORE of a stretch.

Cool. Why phone home the user's environment, then? The vulnerability could very much be confirmed by simply sending a stub instead of live envs.

This is grey-hat at best. Intent may have been good, but the fact is that this team created and distributed software to access and exfiltrate data without permission which is very illegal. You may want to consult with the legal department before posting about this on a public forum fyi.

Seems reasonable enough, but why would it (allegedly) send environment variables back via a POST? Even if it's entirely in good faith, I'd rather some random package not have my `env` output..

Upvoting this since presumably you're actually the CTO at Snyk and people should see your official response, but wow this feels wildly irresponsible. You could have proved the PoC without actually stealing innocent developer credentials. Furthermore, additional caution should have been taken given the conflict of interest with the competitor product to Cursor. Terrible decision making and terrible response.

What is responsible about sending the environment over in a proof of concept?

The usual reasons: laziness, ignorance, poor design. Most package managers suck at letting you add 3rd party repos. Most package managers don't have namespaces of any kind. The ones that do have terrible design. Most of them lack a verification system or curation. Most of them have terrible search. None of them seem to have been exposed to hierarchical naming or package inheritance. And a very small number of people understand security in general, many fewer are educated about all the attack classes.

But all of that is why they get popular. Lazy, crappy, easy things are more popular than intentional, complex, harder things. Shitty popular tech wins.

You're not really missing anything so much as adding a misguided assumption of competence to NPM.

Npm doesn't really do namespaces. There's just no ownership to prove as most packages are published like "call-home" with no namespace required. This gives exciting opportunities for you to register cal-home to trap users who miss type, or caII-home to innocuously add to your own or open source projects or whatever. Fun isn't it?

In this case the call home package is namespaced, but the real attack is the packages like "cursor-always-local" which has no namespace. Which can sometimes (?) take precedence over a private package with the same name.

It's not a pretty picture, you were better off missing it really.

You're referring to what I described previously here... ironically back when the first dependency confusion research was published: https://www.sonatype.com/blog/why-namespacing-matters-in-pub...

NPM packages VS Wordpress plugins ... I think it is a head to head race there.

Security often means the opposite of scalability and growth, so why should they? The business goal is to make sure Cursor grows large enough that they have economics of scale to be a viable business.

If you want secure LLM you can use Mistral, which comes with all the EU limitations, good and bad.

It's not a smoking gun. It is just one of a number of signals you look for when identifying potentially malicious packages. Other things you look for are number of collaborators, how long it existed, domains it talks to, and artifacts it pulls in.

Could you please explain a little more. I can use such practice in my dev workflow.

The dev is https://github.com/6mile (same as author of the article)

seems to be either a tool that isnt out yet or perhaps not available for free or the public.

> The packages performed HTTP requests back to our researchers containing username, hostname, current directory and (in later versions) environmental variables.

And exfiltration was needed to confirm a vulnerability why exactly?

I love how completely unaware you guys are.

Sorry, but you screwed up royally. Scary to see that Snyk still does not see this.

Ethically, your work was even lower than that of those who test their AI tools on FOSS code, send in bogus reports and thus waste maintainer's time. Experimenting on unwitting humans and ecosystems is not okay.

As much as I don't like NPM, these issues aren't limited to NPM. It's just that NPM is getting so much attention that we're more likely to find and hear about these issues when when they target NPM.

I'm fairly concerned about the state of Python packages. It's not every week, but I frequently stumble upon packages that are not what they appear to be. Sometimes not maliciously, sometimes the author just got overly ambitious and failed to deliver, other times, someone is clearly typo-squatting or attempting to get you to install the wrong thing.

> I don't see any systematic protection against this?

Snyk

I don't have a dog in this hunt. I've never worked with Snyk, I've never been a customer, and I don't think I even know anyone who works there. That said, they've built their whole company around being trustworthy and doubt they'd knowingly do anything to risk their entire business. Also, I can hardly imagine someone better positioned to protect against supply chain attacks.

Your criticism sounds to me like "just a reminder that this armed bodyguard service comprises Navy SEALs and Army Rangers". Uh, great!

So every Israeli is now a Mossad agent and every customer is an enemy of Israel like Hezbollah? You won't buy from Snyk because you want to boycott Israel, just own up to it it's a popular position to take.

As the pager / radio terrorist attack showed, it's the Mossad involvement you don't know about that you should be worried about. Same with the CIA, they were behind "secure" radio communication in Europe for decades (https://en.wikipedia.org/wiki/Crypto_AG) and nobody had any idea.

That's absurd. If that's your claim, do you know how many of your daily tools and hardware you should also drop?

Just a reminder that Unit 8200 is staffed mostly by conscripts who are serving out their mandatory military service and chose to accept an invitation to serve in the cyberwarfare arm of the IDF instead of choosing to shoot guns.

In other words, it's staffed by Israeli kids who made the choice most of us would have made under the circumstances. It seems a bit unfair to hold that against them more than 10 years later, no?

Don't hate the player hate the game ;)

> "no one can hack us"

Did Cursor made claims to this effect and invited public to hack them?

Or are you equating someone saying they "take security seriously" to "it's an open season, please attack our systems."?

> Yawn.

Wrong forum perhaps? Or wrong story? But you clicked the story. Read it. And then even bothered to comment on it. You are putting a lot of effort into something that does not interest you.

They're terrible already. If you invest enough in marketing nothing matters.

If it was really a test, then why would it be sending environment variables via HTTP POST? There are many better ways to do this if you're legitimately deploying code remotely.

I don’t even read those the same. To me snyk is read as snick and not sneak.

The name 'snyk' is an acronym, it stands for 'so now you know' (about security vulnerabilities) =D