CVE-2025-27554 Information

Description

ToDesktop before 2024-10-03 as used by Cursor before 2024-10-03 and other applications allows remote attackers to execute arbitrary commands on the build server (e.g. read secrets from the desktopify config.prod.json file) and consequently deploy updates to any app via a postinstall script in package.json. No exploitation occurred.

Reference

https://kibty.town/blog/todesktop https://news.ycombinator.com/item?id=43210858 https://www.todesktop.com/blog/posts/security-incident-at-todesktop