{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/binary-planting/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-63093"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cursor for Windows 3.2.16"],"_cs_severities":["high"],"_cs_tags":["binary-planting","ide","vulnerability","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Cursor"],"content_html":"\u003cp\u003eCVE-2026-63093 identifies a critical binary planting vulnerability affecting Cursor for Windows, specifically version 3.2.16. This flaw enables remote attackers to execute arbitrary code on a victim's system. The mechanism involves an attacker crafting a malicious Git repository containing a specially prepared \u003ccode\u003egit.exe\u003c/code\u003e executable in its root directory. When an unsuspecting developer clones and subsequently opens this crafted repository within the vulnerable Cursor IDE, the application automatically resolves and executes the workspace-resident malicious \u003ccode\u003egit.exe\u003c/code\u003e binary. This execution occurs without any further user interaction, both during the IDE's startup phase and at regular, timed intervals, granting the attacker code execution capabilities under the privileges of the user running Cursor. This vulnerability poses a significant supply chain risk, as developers could unknowingly introduce malware into their development environments simply by interacting with a seemingly legitimate code repository.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Git repository containing a hostile \u003ccode\u003egit.exe\u003c/code\u003e binary placed in the repository's root directory.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes or otherwise makes this crafted repository available to target developers (e.g., via a phishing campaign, compromised repository, or social engineering).\u003c/li\u003e\n\u003cli\u003eA developer clones the malicious repository to their local machine using any Git client.\u003c/li\u003e\n\u003cli\u003eThe developer opens the newly cloned repository within the vulnerable Cursor for Windows IDE (version 3.2.16 or earlier).\u003c/li\u003e\n\u003cli\u003eUpon opening the repository or during a recurring background process, the Cursor IDE automatically attempts to resolve and execute the \u003ccode\u003egit.exe\u003c/code\u003e binary.\u003c/li\u003e\n\u003cli\u003eDue to the binary planting vulnerability, Cursor preferentially executes the malicious \u003ccode\u003egit.exe\u003c/code\u003e located within the repository's root instead of the legitimate \u003ccode\u003egit.exe\u003c/code\u003e installed on the system.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003egit.exe\u003c/code\u003e executes arbitrary code on the developer's system, inheriting the privileges of the user running Cursor.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution, potentially leading to full system compromise, data exfiltration, or further network lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63093 leads to arbitrary code execution on the compromised developer's workstation. This gives attackers the ability to install additional malware, exfiltrate sensitive source code, steal credentials, establish persistence, or pivot into other systems within the organization's network. The nature of the attack, targeting developers' IDEs, makes it a potent vector for supply chain attacks, potentially compromising software projects and their end-users. The CVSS v3.1 Base Score of 8.8 reflects the severe consequences of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-63093 immediately by updating Cursor for Windows to a version beyond 3.2.16 as soon as a fix is available from the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect CVE-2026-63093 Exploitation - Malicious git.exe Execution\u0026quot; to your SIEM to identify suspicious \u003ccode\u003egit.exe\u003c/code\u003e executions originating from the Cursor IDE process.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, such as via Sysmon, to ensure the \u003ccode\u003eprocess_creation\u003c/code\u003e log source is captured for effective detection.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks of cloning and opening untrusted repositories, emphasizing code review and supply chain security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T15:18:04Z","date_published":"2026-07-17T15:18:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63093-cursor-binary-planting/","summary":"CVE-2026-63093 describes a binary planting vulnerability in Cursor for Windows version 3.2.16 that allows a remote attacker to achieve arbitrary code execution by placing a malicious `git.exe` file in a crafted repository's root, which the Cursor IDE automatically executes during startup or on a recurring cadence when a developer opens the repository, running the malicious binary under the privileges of the current user.","title":"CVE-2026-63093: Binary Planting Vulnerability in Cursor for Windows","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-63093-cursor-binary-planting/"}],"language":"en","title":"CraftedSignal Threat Feed - Binary-Planting","version":"https://jsonfeed.org/version/1.1"}