Fake Cursor / Replit / Windsurf AI code editor subscription payment failed, coding environment and workspace suspended, or AI coding features disabled phishing — fraudulent email impersonating Cursor, Replit, or Windsurf claiming the subscription payment has failed, the AI code editor and workspace are suspended, or AI coding features and repls are no longer active — Cursor: 1M+ paying users ($20/month Pro, $40/month Business); Replit: 4M+ users ($20/month Core, $25-40/month Teams); distinct from GitHub Copilot phishing; AI coding tool suspension disables the entire development workflow — editors switch to read-only mode, AI completions stop, and cloud execution environments go offline

Phishing emails impersonating Cursor, Replit, or Windsurf claiming the AI code editor subscription payment has failed, the coding environment and workspace are suspended, or AI coding features and repls are no longer active — directing them to update billing or restore AI coding access through a credential-harvesting portal. Key facts: (1) AI code editor suspension disables the entire modern development workflow simultaneously: Cursor serves 1M+ paying users ($20/month Pro, $40/month Business) as an AI-first code editor that developers use as their primary IDE — when a Cursor subscription lapses, AI completions stop, AI chat is disabled, the editor may switch to read-only or limited mode, and all AI-powered coding features that developers have integrated into their daily workflow are unavailable; for developer teams where Cursor Business is the mandated IDE, every developer on the team simultaneously loses AI coding assistance; (2) Replit's cloud execution model creates immediate deployment urgency: Replit serves 4M+ users ($20/month Core, $25-40/month Teams) as a browser-based coding environment where repls are both the development environment and the deployment target — when a Replit subscription lapses, all running deployments and always-on repls go offline, team workspaces become inaccessible, and collaborative coding sessions are terminated; for developers who host production applications on Replit (particularly indie developers and students), account suspension means their deployed applications are immediately taken offline; (3) Windsurf (Codeium) and the new generation of AI coding tools create a rapidly growing impersonation surface: Windsurf by Codeium grew from 0 to 1M+ users in 2024-2025 and represents a new category of AI IDE that attackers began targeting as the tool achieved critical developer adoption — 'your Windsurf subscription has been suspended' is a novel phishing lure that developers have not been conditioned to verify skeptically because the tool is too new for established phishing awareness training; (4) AI coding tool credentials expose team repositories and connected development infrastructure: Cursor Business accounts integrate with GitHub, GitLab, and Bitbucket for codebase context — compromised Cursor credentials give attackers access to repository OAuth tokens and codebase indexing data; Replit accounts store OAuth tokens for connected GitHub repos, and team accounts expose the code of all team members' shared repls; (5) The developer target demographic has high value but mixed security awareness: developers are high-value credential targets (access to production systems, deployment credentials, API keys in code) but AI coding tool billing emails look generic and legitimate, and many developers operate with personal credit cards on individual plans where they may not recognize unusual billing patterns immediately. Warning signs: sender not cursor.com, replit.com, or codeium.com; genuine Cursor billing is at cursor.com/settings; Replit billing at replit.com/account.