DuneSlide: Zero-Click Prompt Injection Escapes Cursor’s Sandbox on Fortune 500 Developer Machines — MCP Response Is Enough
Cato AI Labs disclosed two CVSS 9.8 vulnerabilities in Cursor IDE — used by 50%+ of the Fortune 500, recently acquired by SpaceX for $60B. A poisoned MCP server response or web search result causes the agent to overwrite the sandbox binary and run arbitrary code with no user click or approval. Both patched in Cursor 3.0. Cato says similar flaws exist in all popular coding agents.
Read Full Brief →Threats & Attacks
Normal prompt. Agent reads MCP response. Sandbox binary overwritten. No click. Full machine. Cursor used by 50%+ Fortune 500. Cato: similar flaws in all popular coding agents. Update to Cursor 3.0 now.
BlueHammer CISA KEV. UnDefend silently degrades protection. RoguePlanet: no patch, works on fully patched Win10/11. Microsoft vs researcher — community sided against Microsoft.
Payload in DNS TXT record — never in repo. Static analysis, human review, AI agent: all blind. “Claude Code never decided to open a shell. It decided to fix an error.”
Bypasses TOTP, push, SMS. Token survives password resets. Conditional Access doesn’t block it by default. FBI advisory on Kali365.
Never touches disk. Poisons kernel page cache. FIM, Tripwire, AIDE all report clean. Ubuntu patches pending.
No org membership. Owner-level Google Cloud. Non-expiring Microsoft Sentinel keys. Python Black for 130M installs. AI agents reproducing the pattern.
Intelligence & Deep Dive
The DataWater Intelligence Brief
Weekly CISO-level threat analysis — breaking vulnerabilities, technical depth, zero noise.
