Overview

The NomShub attack did not exploit a buffer overflow, a misconfigured endpoint, or a weak credential. It exploited something more fundamental: the way AI agents read.

Researchers demonstrated that a malicious payload embedded in a repository's README file — disguised as a routine developer setup guide — could hijack a coding agent's reasoning, cause it to execute shell commands, establish persistence, and open a reverse shell to an external attacker. No software vulnerability was involved. The agent simply did what it was told, by instructions it had no mechanism to distrust.

The Core Attack Pattern

The target was Cursor Agent, an AI coding assistant with shell, file system, and network access. The attack vector was a README.md file crafted to resemble a legitimate FastAPI server setup guide. Embedded within it were directives the agent ingested as part of its working context.

Because Cursor Agent treats repository content as trusted operational guidance, it parsed the malicious instructions, incorporated them into its execution plan, and acted on them — autonomously, without any explicit user authorization.

The result: full remote code execution, achieved without exploiting a single traditional software flaw.

The Attack Progression Across the AI Kill Chain

The compromise followed the AI Kill Chain across ten stages:

1. Reconnaissance — Researchers confirmed that Cursor Agent trusts and processes repository files as executable prompts, and that it runs without macOS sandbox restrictions — making it blind to shell built-in commands executed by the shell itself.
2. Trust Establishment — Bypassed entirely. The agent extended implicit trust to the repository without verification.
3. Instruction Weaponization — A malicious prompt was embedded in the README, disguised as a "FastAPI x Cursor Tunnel Setup Guide" appended to a legitimate repository.
4. Reasoning-Time Execution — Cursor Agent interpreted the README as actionable steps and incorporated it into its execution plan.
5. Tool Invocation — The agent executed high-privilege shell commands sourced from untrusted external content.
6. Privilege Escalation — The agent facilitated an OAuth flow that granted valid JWTs to the attacker. The tunnel host's trust model assumes only authorized users can obtain JWTs — an assumption that breaks down when an AI agent can be manipulated into completing the flow.
7. Lateral Movement — Not observed in this incident; feasible via port forwarding.
8. Persistence — Commands written to ~/.zshenv ensured malicious scripts executed on every new terminal session.
9. Command and Control — .zshenv was overwritten to point to /tmp/run.sh, containing tunnel setup and C2 registration logic that executed automatically on each Cursor or terminal launch.
10. Actions on Objectives — Full remote code execution achieved. Credential theft and data exfiltration were within reach.

Implicit Trust Drift Defined

The NomShub attack surfaces a vulnerability with no entry in the CVE database: implicit trust drift — the condition in which an AI agent, lacking a mechanism to distinguish trusted instructions from untrusted content, treats everything in its context window as authoritative.

This occurs when:

• Repository files function as both passive data and active instruction sources
• No intent-validation layer exists between content ingestion and tool invocation
• Access to a tool is interpreted as authorization to use it

The agent did not malfunction. It reasoned correctly from corrupted premises.

Why Traditional Defenses Failed

Mitigating this class of attack requires a shift from traditional security controls to reasoning-aware defenses.

Logs appeared clean. Behavior was consistent with normal operation. No exceptions were thrown; no alerts fired.

Traditional security monitors for known-bad signatures — malicious binaries, unauthorized connections, known exploit patterns. It does not monitor for an AI agent reading a README and deciding, through its own reasoning, to write a reverse shell into a shell startup file. The attack surface is the model's context window, and that surface is invisible to conventional tooling.

How to Prevent This Class of Attack

Defending against reasoning-driven exploitation requires controls that operate at the reasoning layer, not only at the execution layer.

• Classify all external content as untrusted. Documentation, comments, and repository files must be treated as data — never as instructions eligible for automatic execution.
• Enforce tool governance. Shell execution and network access require explicit, per-action user authorization with fine-grained access controls at the invocation level.
• Harden execution environments. Restrict shell access by default. Prevent agents from modifying startup scripts. Use sandboxed, ephemeral execution contexts.
• Monitor for behavioral anomalies. Flag unexpected command execution, unauthorized file modifications, and any attempt to establish persistence mechanisms.
• Protect shell state. Continuously validate shell profiles and environment configurations against a known-good baseline.

Stop It Before the Agent Reads It

The NomShub attack begins not when a command runs — but when an agent reads a file it should never have trusted. Lineaje UnifAI closes that gap at the source.

UnifAI policies AI_APP_SEC_001, APP_SEC_002, APP_SEC_032, and APP_SEC_066 inspect code and setup files for high-risk shell commands embedded in prompts and strip them before the agent processes them. Where traditional controls watch what an agent does, UnifAI governs what it sees — enforcing policy at the exact moment an attack like NomShub would take hold.