Agentic AI challenges in IDE: Forensic and extraction of traces PART 3

21 December 2025 - Posted in Incident Response by Jok3r - Permalink

Background: In our latest research related to forensic traces left by IDEs, let's look into the Cursor AI IDE.

Traces: As in our previous research, we saw that some of its components rely on VS Code. And as in previous cases, it is leaving its generated files in APPDATA directory. enter image description here

Another metadata finding during forensics: we can see metadata about projects on which work had been done by the victim. enter image description here

Conclusion: All 3 IDEs - VS Code, Antigravity, and Cursor AI - have shown the same traces. Both Antigravity and Cursor AI have the same dependency on VS Code. According to findings at this stage, if for some reason infostealers or malware appear in the victim's environment, they can enumerate those directories and steal source code-related data.

→

« Researching CVE-2025-14847 (Mongo memory leak): Defensive Strategies and Detection Techniques Agentic AI challenges in IDE: Forensic and extraction of traces PART 2 »

Agentic AI challenges in IDE: Forensic and extraction of traces PART 3

Post by Jok3r

Related posts