@cursor/sdk
TypeScript SDK for Cursor agents.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/esm/429.index.js | AI (source-diff): Webpack ESM bundle chunk; minified build output. | ai | |
| source-diff | net-exec-file:dist/cjs/745.index.js | AI (source-diff): Bundled library code (ajv, opentelemetry) naturally contains net+eval patterns. | ai | |
| source-diff | obfuscated-file:dist/cjs/429.index.js | AI (source-diff): Webpack bundle chunk; not obfuscated, just minified build output. | ai | |
| source-diff | obfuscated-file:dist/esm/745.index.js | AI (source-diff): Webpack ESM bundle chunk; minified build output. | ai | |
| source-diff | obfuscated-file:dist/cjs/745.index.js | AI (source-diff): Webpack bundle chunk bundling opentelemetry/ajv; minified build output. | ai | |
| source-diff | net-exec-file:dist/esm/745.index.js | AI (source-diff): ESM counterpart of same bundled library code. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Official Cursor SDK with 128k weekly downloads; not spam. | ai | |
| phantom-deps | phantom-dep:@statsig/js-client | AI (phantom-deps): Consumed via webpack bundle, not direct import; stable false positive. | ai | |
| source-diff | obfuscated-file:dist/cjs/642.index.js | AI (source-diff): Webpack-bundled dist output with readable module paths; standard for this SDK package. | ai | |
| source-diff | obfuscated-file:dist/esm/642.index.js | AI (source-diff): ESM webpack bundle counterpart; same pattern as CJS build. | ai | |
| source-diff | encoded-string-file:dist/cjs/index.js | AI (source-diff): Long strings are URI-reference regexes from bundled ajv-formats; not payloads. | ai | |
| source-diff | encoded-string-file:dist/esm/index.js | AI (source-diff): ESM counterpart; same ajv-formats regex strings. | ai | |
| phantom-deps | phantom-dep:sqlite3 | AI (phantom-deps): Declared in dependencies; used in build/config, not direct imports. | ai | |
| phantom-deps | phantom-dep:@connectrpc/connect-node | AI (phantom-deps): Declared in dependencies; used in build/config, not direct imports. | ai | |
| phantom-deps | phantom-dep:@bufbuild/protobuf | AI (phantom-deps): Declared in dependencies; used in build/config, not direct imports. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 1.0.18 | 6 / 29 | |
| 1.0.17 | 6 / 29 | |
| 1.0.16 | 6 / 29 | |
| 1.0.15 | 6 / 28 | |
| 1.0.14 | 6 / 28 | |
| 1.0.13 | 6 / 28 | |
| 1.0.10 | 6 / 28 | |
| 1.0.9 | 6 / 28 | |
| 1.0.7 | 5 / 28 |
v1.0.18
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.15
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ssokolin-cursor) than the most recent previously approved version (katiabazzi) on 2026-05-28, but ssokolin-cursor is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.14
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ssokolin-cursor) than the most recent previously approved version (katiabazzi) on 2026-05-27, but ssokolin-cursor is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v1.0.13
6 findingsThis version was published by a different npm account than previous versions on 2026-05-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.10
6 findingsThis version was published by a different npm account than previous versions on 2026-04-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.9
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.