ShieldOps — cursor-agent-v0.4.2 Profile

cursor-agent-v0.4.2 v0.4.2

Publisher: Unknown Unverified

github-download

Last seen: 3 hours ago · Active on 47 of 247 endpoints

Team owner: Engineering · sarah.chen

First seen: March 4, 2025 · 48 days at current risk level

Risk Score

Provenance 85

Behavior 74

CVE 12

AI-Generated Risk Summary

cursor-agent-v0.4.2 is a sub-binary of the Cursor AI coding assistant, downloaded directly from GitHub without going through an official package registry. It carries no verified publisher signature, making it impossible to confirm its origin or integrity through standard channels. This binary has been observed accessing AWS credential files (~/.aws/credentials), SSH private keys (~/.ssh/id_rsa), and browser session token caches across 47 Finova endpoints — access patterns that extend well beyond what a coding assistant requires. While Cursor AI is a widely-used legitimate development tool, this specific sub-binary was introduced in version 0.42 and its file access behavior matches previously documented patterns in supply chain compromise incidents. Our behavioral scan flagged 2 non-conclusive indicators. Immediate recommendation: apply zero trust file control to restrict this binary to its working directory, and investigate the 3 external IP addresses it contacted outside Cursor's known infrastructure.

Risk Breakdown

Provenance Risk

No verified publisher, downloaded via github-download, not from official registry

Behavior Risk

Accesses credentials, SSH keys, and browser tokens beyond expected scope

CVE Risk

No CVE records (binary not in any CVE database — itself a risk signal)

Behavioral Timeline

First detected Mar 4 — 7 weeks ago

Binary appeared on 3 endpoints via Cursor update. No file access anomalies at first observed.

Access pattern change Mar 11 — 6 weeks ago

Binary began reading ~/.aws/credentials. Spread to 47 endpoints after Cursor v0.42 auto-update.

External contacts detected Mar 28 — 3 weeks ago

3 outbound connections to IPs outside Cursor's known infrastructure. Two IPs on threat intel watchlists.

ShieldOps flagged Apr 15 — 6 days ago

Risk score crossed threshold (78/100). Added to Approval Queue. Zero trust file control recommended.

Awaiting decision Now

Monitoring continues. Access paths partially restricted pending full policy decision.

Top Sensitive Paths Accessed

Path	Access Type	Count	Last Accessed
~/.aws/credentials	Read	847	2 hours ago
~/.ssh/id_rsa	Read	203	5 hours ago
~/Library/Application Support/Google/Chrome/Default/Cookies	Read	156	1 day ago
~/.ssh/config	Read	89	3 hours ago
/etc/hosts	Read	12	2 days ago

Distinct versions

across 47 endpoints

On latest (v0.4.2)

flagged · under review

On older versions

clean · no action needed

Versions behind latest

oldest active: v0.3.9

Endpoint distribution by version

Version Distribution Endpoints Share Status

v0.4.2 current

70%

⚠ Under review

v0.4.1 1 behind

18%

✓ Clean

v0.4.0 2 behind

✓ Clean

v0.3.9 3 behind

✓ Clean

Endpoint detail by version

Version	Endpoints	Teams	First seen	Last active	Risk
v0.4.2 Current	47 of 247 fleet	Engineering · 38 Design · 6 Data · 3	Mar 8, 2025	3 hours ago	78 / 100
v0.4.1 1 version behind	12 of 247 fleet	Engineering · 9 Data · 3	Feb 14, 2025	1 day ago	Clean
v0.4.0 2 versions behind	5 of 247 fleet	Engineering · 5	Jan 29, 2025	4 days ago	Clean
v0.3.9 3 versions behind	3 of 247 fleet	Data · 2 Design · 1	Dec 11, 2024	8 days ago	Clean

✦ AI insight: The risk jump is isolated to v0.4.2. Endpoints running v0.4.0 and v0.3.9 show no anomalous file access. This is consistent with a supply-chain injection introduced in the v0.4.2 release. Downgrading to v0.4.1 on flagged endpoints would reduce blast radius while investigation continues.

Current blast radius

If compromised: attacker reaches 3 credential stores, 2 SSH key files, Chrome & Firefox session tokens

After protection:

Access limited to ~/cursor-workspace only

What it currently accesses

🔑 Credentials 3 paths

~/.aws/credentials Read 847

~/.aws/config Read 203

~/.ssh/id_rsa Read 203

🔑 SSH Keys 2 paths

~/.ssh/id_rsa Read 203

~/.ssh/config Read 89

🍪 Browser Data 3 paths

~/Library/…/Chrome/Default/Cookies Read 156

~/Library/…/Firefox/Profiles/*/cookies.sqlite Read 43

~/Library/…/Chrome/Default/Login Data Read 28

⚙️ System Config 2 paths

/etc/hosts Read 12

/usr/local/bin Read/Write 7

📁 User Data 2 paths

~/Documents/ Read 1,247

~/Downloads/ Read 394

What it will be allowed after ShieldOps protection

✅

~/cursor-workspace/

Read/Write — working directory

✅

/tmp/cursor-*

Read/Write — temp files

✅

Outbound: *.cursor.sh

Network only to Cursor domains

Blocked paths

🚫 ~/.aws/

🚫 ~/.ssh/

🚫 Browser data directories

🚫 /etc/hosts

🚫 All other paths — blocked by default

Source Details

Source type

github-download

Download URL

github.com/getcursor/cursor/releases/v0.4.2/cursor-agent

SHA256

a3f8d2c1e4b7f9a2d5e8c3b6f1a4d7e2c5b8f3a6d9e2c5b8a1d4e7c2b5f8a3

First seen

March 4, 2025

File size

24.7 MB

Architecture

arm64 (Apple Silicon)

Introduced By

Alex Chen

Senior Engineer

Installed on 23 endpoints

First seen: Mar 4, 2025

Sarah Mitchell

DevOps Lead

Installed on 14 endpoints

First seen: Mar 6, 2025

Marcus Johnson

ML Engineer

Installed on 10 endpoints

First seen: Mar 8, 2025

Version History

Version	First Seen	Endpoints	Status
v0.4.2 (current)	Mar 8, 2025	47	⚠ Under review
v0.4.1	Feb 14, 2025	12	✓ Clean
v0.4.0	Jan 29, 2025	8	✓ Clean
v0.3.9	Dec 11, 2024	5	✓ Clean

Community Intelligence

47% of companies with similar engineering tooling have this binary. Of those tracked by ShieldOps, 12% have flagged it for review.

Based on anonymized telemetry across ShieldOps fleet

⚠

Suspicious — Investigate Before Allowing

Apply zero trust file control immediately and review the behavioral indicators below.

Scan Results — 8 Engines

Engine	Type	Result
ShieldOps Behavioral AI	AI/ML	⚠ 2 indicators
ShieldOps Static Analysis	Static	⚠ Unusual network module
VirusTotal (ClamAV)	Signature	✓ Clean
VirusTotal (ESET)	Signature	✓ Clean
VirusTotal (Kaspersky)	Signature	✓ Clean
VirusTotal (Microsoft)	Signature	✓ Clean
Intezer	Genetic	✓ No malware genes
Hybrid Analysis	Sandbox	⚠ Anomalous network calls

Behavioral Indicators

Credential File Access Pattern

Binary reads ~/.aws/credentials and ~/.ssh/id_rsa without user-initiated action. Access observed 847 and 203 times respectively across fleet. This access pattern is not consistent with Cursor AI's documented functionality.

Observed: 847 times First: March 4, 2025 Last: 2 hours ago

Outbound Traffic to Non-Cursor Infrastructure

Binary makes HTTP POST calls to 3 IP addresses not associated with Cursor's known infrastructure (*.cursor.sh, *.anysphere.inc). Calls occur within 60 seconds of credential file access.

104.21.47.28 🔍 lookup 172.67.183.41 🔍 lookup 45.33.32.156 🔍 lookup

Observed: 23 times First: March 6, 2025 Last: 14 hours ago

ShieldOps AI Static Analysis

Static analysis of cursor-agent-v0.4.2 reveals it contains a networking module (libnet_agent.dylib) that is not present in Cursor AI's open-source repository or any of its prior releases. This module implements a custom HTTP client that operates independently of the application's main process, communicating with 3 external IP addresses on port 443. The credential file access pattern — specifically the timing correlation between credential reads and subsequent outbound HTTP calls — does not match Cursor AI's documented cloud sync or telemetry functionality. This binary warrants manual investigation and should be treated as potentially compromised until cleared.

No CVE Records Found

cursor-agent-v0.4.2 is not a recognized publisher package registered in any CVE database (NVD, MITRE, GitHub Advisory Database). This is itself a significant risk factor: if this binary contains vulnerabilities, they will never be disclosed through standard channels, and no patch notifications will be issued. Organizations cannot rely on CVE-based patch management for this binary.

CVE databases checked

NVD, MITRE, GitHub Advisory, OSV

Known publisher packages with CVEs

No publisher registration found

CVEs in Cursor IDE (parent application)

For reference — these affect the main Cursor app, not this binary

No CVEs recorded for Cursor IDE as of April 2025

Why this matters

Unverified binaries represent a blind spot in traditional vulnerability management. CVE-based patching workflows cannot protect against risks in software that lacks publisher verification. ShieldOps behavioral monitoring fills this gap.