[BeefWellington]

This response doesn't make a lot of sense.

What's the justification for taking all of the environment variables? This post tries to paper over that particular problem. If your goal was to see if you could attack the dependency chain the first steps of user+hostname would have been sufficient to prove your case.

Taking the environment variables is about taking the secrets, and kind of moves this from PoC to opposition supply chain attack. Not to mention it's not only Cursor devs that would be affected by this, it could have (if your plan worked) attacked anyone using the extensions.

It's also a tough buy given the note about the Snyk cofounder moving to compete directly with Cursor (courtesy @tankster): https://techcrunch.com/2024/11/14/tessl-raises-125m-at-at-50...

Assuming truly innocent motivations, you guys still need to give your heads a shake and rethink your approaches here.

[bangaladore]

Frankly I wouldn't be surprised if this was a case of Hanlon's razor. Some "researcher" thought well ENV vars will certainly show us what we want and that's where the conversation ended without thinking a little harder into what else might be in the vars.

[neonerosion]

That's not really plausible in the modern legislative environment (pun intended), considering your env vars will contain GDPR-controlled data like your username, at the very least. Combined with the IP address it was collected from, they know who you are and where you live.