NomShub: How to Check If Your Mac Was Affected by the Cursor Sandbox Escape

Introduction

In January 2026, Straiker AI disclosed a three-stage attack chain against Cursor, the AI coding editor, on macOS. They named it NomShub. Cursor patched it in version 3.0 on April 2, 2026.

If you use Cursor on macOS and worked with any external or untrusted repositories before that date, there are specific things on your machine to check. This article walks through the attack mechanism, how to look for indicators of compromise, what to do if you find them, and what the fix in Cursor 3.0 actually changed.

How the Attack Works

NomShub chains three distinct stages. Each stage depends on the previous one.

Stage 1: Indirect Prompt Injection

Cursor reads repository content as AI context. README files, configuration files, code comments, documentation. This is by design: the AI needs to understand the project to help with it.

An attacker embeds natural language instructions in any of these files. Not as executable code. As text, the same way a developer would write a comment. When you open the repository and ask the AI anything, the agent processes those instructions as part of its context and follows them.

This is indirect prompt injection. The payload is in content the agent reads as part of its job, not in anything the user typed.

Stage 2: Sandbox Escape via Shell Builtins
Cursor implements a filter called shouldBlockShellCommand to prevent the AI agent from running dangerous commands outside the intended workspace. The filter blocks patterns it recognizes as dangerous.

It does not block shell builtins: export, cd, source, eval. These are built into the shell interpreter itself, not commands the filter tracks.

The NomShub attack chains builtins to achieve what the filter is designed to prevent:

export CWD=~ && echo $CWD && cd $CWD && echo '/tmp/run.sh' > .zshenv

Each component of this passes the filter individually. Together, they navigate from the project directory to the home directory and write a line into ~/.zshenv. That file is a shell startup script: every terminal session that opens afterward executes /tmp/run.sh.

Stage 3: Persistent C2 via cursor-tunnel

Cursor ships with cursor-tunnel, a binary used for remote development via Microsoft Dev Tunnels. It is Apple-signed and notarized. macOS trusts it. Endpoint security tools trust it. Its traffic goes to Microsoft's Azure infrastructure over HTTPS on port 443.

The injected instructions tell Cursor to:

1. Kill any existing tunnel sessions
2. Clear cached GitHub credentials
3. Start a new tunnel session
4. Print the GitHub device authorization code to the terminal

Cursor does all of this. The authorization code appears in terminal output. The attacker's payload reads it from the output and sends it to attacker-controlled infrastructure. The attacker enters the code into GitHub's OAuth device flow, registers the tunnel under their account, and gains authenticated shell access to your machine via the spawn RPC method.

The .zshenv entry reruns this sequence automatically if the connection drops. The access survives reboots. To anything monitoring your network traffic, it looks like normal Cursor remote development.

Who Is Affected

Cursor users on macOS, running versions prior to 3.0, who opened a repository containing the NomShub payload.

This is macOS-specific. The attack uses cursor-tunnel and shell startup behavior that does not apply in the same way on Windows.

Repositories that could contain the payload include: public GitHub repositories crafted by an attacker, pull requests from external contributors, and dependency repositories that an AI agent reads as context while working on a project.

How to Check Your Machine

Run these checks now if you were on a Cursor version earlier than 3.0 on macOS.

Check 1: ~/.zshenv
cat ~/.zshenv

If you see any entries that reference /tmp/ paths, shell scripts you don't recognize, or lines you didn't write, treat that as a potential indicator of compromise. Document what you find before removing anything.

Check 2: GitHub Device Authorizations

Go to github.com/settings/connections. Look for any Dev Tunnel entries you didn't set up yourself. If you see an unrecognized tunnel registration, revoke it immediately.

Check 3: Running Processes

ps aux | grep cursor-tunnel

If cursor-tunnel is running and you haven't intentionally started a remote development session, investigate.

Check 4: Shell History

cat ~/.zsh_history | grep .zshenv

Look for any commands that wrote to .zshenv during your Cursor sessions.

What to Do If You Find Something

If any of the above checks returns unexpected results, treat the machine as potentially compromised.

1. Remove the suspicious .zshenv entries. Open the file in a text editor and delete the lines you don't recognize.
2. Revoke all GitHub device authorizations under Settings > Connections.
3. Rotate credentials stored in locations the Cursor process could access: environment variables, any .env files in projects you worked on during the affected period, SSH keys, and cloud credentials if Cursor had access to terminal sessions where those were active.
4. Check for processes running from /tmp/ paths and terminate them.

If you cannot account for the source of a .zshenventry, rotate the credentials accessible from that machine before relying on it for sensitive work.

What Cursor 3.0 Changed

The patch in Cursor 3.0 strengthens shouldBlockShellCommand to address the builtin chaining gap. The specific export + cd + source + eval combination that NomShub uses no longer passes the filter.

Cursor has not published a detailed changelog for the security fix as of this writing. The Straiker AI disclosure was coordinated, and the patch was in the April 2 release.

Why This Problem Is Bigger Than the Patch

The NomShub fix closes a specific sandbox gap in Cursor 3.0. The structural problem it documents is not closed anywhere.

AI coding tools read repository content as instructions. They run commands autonomously. They ship with legitimate remote access binaries used for real product features. Every repository that an AI agent reads as context is a potential attack surface.

Palo Alto's Unit 42 documented Chinese APT Stately Taurus using VS Code's remote tunnel feature for persistent access against Southeast Asian government targets in September 2024. NomShub demonstrates that the technique does not require the attacker to compromise the machine first. It can be delivered through natural language in a file the agent reads as part of doing its job.

The broader practice this points to: treat repository content as potentially untrusted input, the same way you treat user input in applications you build.

How Armor1 Prevents This

Armor1 enforces local runtime policies via hooks inside Cursor, positioned directly in the execution path. This is where NomShub's kill chain is stopped.

Shell execution hooks evaluate command chains before they run. The export+cd+eval sequence NomShub uses to escape the workspace and write to ~/.zshenv is blocked at the hook layer before the shell interpreter sees it. File access policies prevent writes to sensitive system paths, so even if a command chain reaches that stage, the ~/.zshenv modification is denied.

These hooks enforce independently of Cursor's native shouldBlockShellCommand filter, which is what NomShub bypassed. The hook layer sits inside the execution path and applies regardless of whether execution is inside or outside the sandbox boundary.

Armor1's AI coding client catalog covers 30+ tools across 16 security categories including Sandbox Isolation, Filesystem Isolation, Script Hooks, and Network Egress, giving teams a governance baseline alongside the runtime enforcement layer.
For teams managing AI coding client security: https://tinyurl.com/Armor1AIMCP3