TL;DR

• Cursor + Composer deleted everything on our Mac 

  • Composer created a config folder for MCP under /home/user/project/~/.cursor/mcp.json

  • Best guess: We asked Composer to copy this file to “the correct location”. It moved it and then attempted to delete the incorrect file. However, it got confused and somehow ran a delete on the ~ path which ended up deleting everything on our mac 

• Privacy mode prevented the team from retrieving detailed logs to confirm exact commands.

• We’re now isolating AI coding tools in containers and tightening local safeguards.

Context

This afternoon the weather was good, and I had just shipped a small component for a chat‑based UI widget in about 20 minutes. I was using Claude Code and wanted to update Linear tickets from the terminal, so I installed the Linear MCP and told my co‑founders about it.

One co‑founder has been bouncing between Claude Code and Cursor, and had recently returned to Cursor to try the new Composer model.

“Cursor Composer is awesome, it’s really fast and powering through the work.”

A few minutes later:

“Hmmm, all my files seem to be getting deleted…”

“Hmm, Apple Keychain got deleted, that’s weird..”

“My computer froze… oh no, let me reset it.”

On reboot, the Mac was completely wiped.

What happened (best‑effort reconstruction)

1. Cursor Composer was used to install an MCP, which required creating a JSON config file.

2. We noticed the file and asked for it to be deleted from the current directory and moved to the home directory.

3. Shortly after, the system began deleting files - apple started throwing up random keychain warnings and then froze

4. After a reboot, the Mac had been reset to a factory‑fresh state.

We spoke with the Cursor team to piece together the timeline but had privacy mode on. They mentioned encountering something similar when Cursor is loaded from the home directory but were unable to offer any real resolution.

Impact

• Full device wipe. Personal documents and local data were lost.

• Immediate work disruption and time spent on recovery.

• Initial concern about potential data exfiltration. We have no evidence of exfiltration at this time, but remain cautious.

Prior art and warnings

My co‑founder had attended a talk by Simon Willison highlighting the risks of giving AI broad powers in local environments. It’s a clear example of why that caution matters.

• Reference: Simon Willison on AI agents and local risk

Safeguards and changes we’ve made

AI coding tools can run shell commands that are deceptively simple but extremely destructive. Treat every “move” or “cleanup” request like a production migration.

• Run AI coding tools inside containers or VMs by default to sandbox effects.

• Prompt for confirmation on commands that affect directories above the current working directory.

• Maintain versioned, off‑device backups and secrets vaults to reduce blast radius.

• Keep privacy mode on, but consider local command logging so vendors aren’t your only source of truth.

Closing thought

We’re still fans of AI coding assistance and cursor is a great product. But this incident is a reminder: without strong guardrails, convenience can outweigh safety in a single command. We also didn’t see or hear of any examples in our community of terrible things happening but we are now going to be significantly more careful and wanted to let others know about these failure modes.