The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you're compromised