#+HashtagPLUS
In

Menu

Post image 1
Post image 2
Post image 3
Post image 4
Post image 5
Post image 6
Post image 7
Post image 8
Post image 9
Post image 10
Post image 11
Post image 12
Post image 13
Post image 14
Post image 15
Post image 16
Post image 17
1 / 17
0

How a fake npm package made Cursor backdoor a Next.js admin route

DEV Community·Oopssec Store·20 days ago
#2i3JS7vV
#lab#read#security#fullscreen#file#package
Reading 0:00
15s threshold

A two-flag chain that walks an attacker from a developer's stray dev-comment, through a typosquatted npm package, into an AI rules file dropped on disk, ending with a runtime backdoor the AI agent silently injected into the application's admin API. The OopsSec Store ships with a stray dev TODO comment on the documents page. The comment mentions a typosquatted npm package and a "diag endpoint". In a real install, that package's postinstall script would drop a Cursor rules file into the developer's home directory. The rules file carries a prompt injection telling the AI agent to add a magic-header auth bypass the next time it touches admin code. By the time the PR ships, both the bad dependency and the backdoor are in.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free accountLog in
Read More