Snyk appears to deploy 'malicious' packages targeting Cursor for unknown reason

Updated Developer security company Snyk is at the center of allegations concerning the possible targeting or testing of Cursor, an AI code editor company, using "malicious" packages uploaded to NPM.

Paul McCarty, a security researcher at SourceCodeRed.com, said he made the "strange" finding during a malicious package detection routine. He claimed a user named "sn4k-s3c" had uploaded three packages that were later tagged as malicious and named in a way that seemingly targeted Cursor:

• cursor-retrieval

• cursor-always-local

• cursor-shadow-workspace

"If you install any of these packages they will collect data about your system and send it to an attacker controlled web service," he claimed.

The cursor-shadow-workspace package, for example, would capture outputs of an env command, he said. Secrets exposed by such commands include GitHub credentials, AWS keys, and NPM tokens, McCarty added, so they would be compromised if the package was run.

He went on to say: "Now, typically, when we see packages like this, they are attempting to perform a dependency confusion attack on a specific company. I don't know if Cursor.com has a bug bounty program or a specific background. Still, I would suspect that Cursor has several NPM private packages named 'cursor-always-local,' 'cursor-retrieval,' and 'cursor-shadow-workspace.'

The packages have since been removed from NPM, the open source JavaScript package library, but before they were, McCarty claimed the metadata indicated that an individual using a Snyk.io email address authored the malicious packages.

The Register asked Snyk and Cursor for additional information. Snyk's UK press team responded saying it was looking into it, and Cursor didn't respond.

Conspiracists have flocked to the forums, however. A Hacker News thread is littered with negative perspectives, highlighting a number of Snyk's past indiscretions.

More sensible takes on the situation aren't as inflammatory. It's very possible there was no foul play involved. NPM has a reputation for behaving in unpredictable ways when it detects public and private packages with the same name, while others pointed out Snyk may have just been trying to test and later report a bug to Cursor.

Arvid Lunnemark, co-founder of Anysphere – the company behind Cursor - however, shed some light on what happened behind the scenes.

He wrote in a Hacker News thread that suggestions it was an error on NPM's side could not be correct given that Snyk's packages were the names of Cursor's bundled extensions which aren't packaged or uploaded to a registry.

• Admins better Spring into action over latest critical open source vuln
• Trio of TorchServe flaws means PyTorch users need an urgent upgrade
• Atlassian pipes software flaw reports into Jira, so the boss can see them too
• Mystery of industry-targeting backdoored NPM JavaScript packages solved

Lunnemark also told the forum that Cursor didn't hire Snyk to carry out any kind of security audit.

"We did not hire Snyk, but we reached out to them after seeing this and they apologized. We did not get any confirmation of what exactly they were trying to do here," he said in a comment.

Responding on the thread to specific theories that Snyk may have just wanted to raise awareness of a possible dependency confusion vulnerability, he said it was "plausible" despite being a "pretty irresponsible" means of doing so.

Speaking to The Register, McCarty told us: "I confirmed that this definitely came from Snyk, and I talked to the person who published the packages." ®

Updated to add at 1452 UTC, January 14

Following publication, Danny Allan, chief technology at Snyk, provided this statement: