Apparently @cursor_ai's official position on MCP is "MCP servers, especially ones that connect to untrusted data sources, present a serious risk to users. We always recommend users review each MCP server before installation and limit to those that access trusted content."

This was in response to a classic lethal trifecta attack - here an attacker filed a Jira issue (via a support ticket) which caused Cursor to steal developer secrets from environment variables and submit them to an attacker's server

The only solution I know of to the lethal trifecta is to cut off one of the three legs - when Cursor say "limit to those that access trusted content" they're recommending avoiding exposure to untrusted data that might contain malicious instructions, which is often very hard to do

Correction to this thread: I said the developer secrets were stolen from environment variables but actually it looks like they stole a JWT token that was hard-coded in source code. More of my notes here: