[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2zDOWV3F4ZQH7PLks5RapphEDpz24SZD-4V2w2LNKLI":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"5d960790-5c8b-41e4-96aa-3f4bb00839b0","AI Coding Agents Could Fuel Next Supply Chain Crisis","ai-coding-agents-could-fuel-next-supply-chain-crisis-031f1c","“TrustFall” attack shows how AI coding agents can be manipulated into launching stealthy supply chain compromises. The post AI Coding Agents Could Fuel Next Supply Chain Crisis appeared first on SecurityWeek.","Researchers at Adversa.AI discovered a critical vulnerability affecting multiple AI coding agents that allows attackers to inject malicious code through GitHub repositories. When developers use these tools on untrusted repos, a single keystroke on a default-trusted folder prompt can execute arbitrary code with full developer privileges, potentially compromising CI\u002FCD pipelines and enabling widespread supply chain attacks. The flaw affects Claude Code, Gemini CLI, GitHub Copilot CLI, and Cursor CLI—a convention across agentic coding CLIs rather than an isolated issue.","AI coding agents (Claude Code, Gemini CLI, Copilot CLI) vulnerable to malicious repo injection enabling supply chain","Researchers from Adversa.AI have discovered an issue that allows attackers to abuse Claude Code’s automation, potentially creating a new supply chain threat. Agentic AI is designed to operate automatically and usually invisibly to make our work easier and more efficient. AI code generators are no different. Claude Code (launched in May 2025) has become the fastest-growing tool in the startup and high-end engineering space, with the highest user satisfaction rating against its competitors. Adversa AI has discovered a way in which its agentic behavior can be manipulated by an attacker into providing a one-click RCE, or even a potential supply chain threat. All the attacker needs to do is place attractive but malicious code as, say, a GitHub repo. When a developer uses Claude Code for a new task, it checks available repositories for what will assist in the task. If it locates, selects and downloads the malicious prepared code, it is almost immediately game over for the developer. All the attacker now needs is for the user to accept Claude Code’s usage as trusted – which the user is likely to do since the agent is just doing what it is supposed to do. Claude Code’s acceptance dialog simply reads, “Quick safety check: Is this a project you created or one you trust?”, with the default set to ‘trust’. It’s little different in practice to Chrome’s browser security warning – which almost everyone almost always ‘allows’. Similarly in Claude Code, but “One Enter keypress on the trust dialog spawns the server as an unsandboxed OS process with the developer’s full privileges. No tool call from Claude is required,” reports Adversa. The cloned repository contains small JSON files in standard Claude Code locations, providing an arbitrary code execution.Advertisement. Scroll to continue reading. enableAllProjectMcpServers in .claude\u002Fsettings.json - auto-approves every server defined in the project’s .mcp.json enabledMcpjsonServers auto-approves a named subset “Both spawn attacker-defined MCP servers as OS processes with the user’s full privileges the moment the folder trust prompt is accepted,” reports Adversa. The result could open a long-lived C2. Alternatively, the payload could be embedded inline in .mcp.json, leaving no script file on disk for a reviewer or static scanner to flag. Adversa describes several ways this process can be abused, but potentially the most disastrous is when Claude Code is used in the CICD process. If the user’s task is to produce a new tool for widespread distribution, it can kick off a brand new supply chain attack. “Developers of widely used tools are a realistic prime target,” Alex Polyakov, co-founder and CTO at Adversa.AI, told SecurityWeek. “Claude Code is installed on most developer machines and devs routinely clone unfamiliar repos and run Claude against them, so this attack is very plausible if the code is destined for the user’s CICD.” The attack’s payload would read environment variables, deploy keys, signing certificates, and any credentials available to the runner. The runner would then quietly include details into the build process. “Same blast-radius pattern as Salesloft Drift, with the initial-access bar collapsed to ‘clone and hit Enter’, added Polyakov.” Adversa reported its findings to Anthropic, but for now at least, Anthropic has declined to do anything. Its position is if the user clicks “Yes, I trust this folder”, consent to the use of everything inside that folder has been given; and it is not up to Anthropic to interfere. But the user is generally unaware of what is really in the folder, and it is debatable whether uninformed consent is legal consent. “Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.” The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository. It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.” The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes\u002FTrust’. One Enter keypress is enough on any of them.” This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.” Learn More at the AI Risk Summit at Half Moon Bay Related: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments Related: Critical Vulnerability in Claude Code Emerges Days After Source Leak Related: Hackers Weaponize Claude Code in Mexican Government Cyberattack Related: Claude Code Flaws Exposed Developer Devices to Silent Hacking Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Hacker Conversations: Joey Melo on Hacking AIAnthropic Unveils Claude Security to Counter AI-Powered Exploit SurgeAI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to HoursCyber Insurance Data Gives CISOs New Ammo for Budget TalksSevii Launches Cyber Swarm Defense to Make Agentic AI Security Costs PredictableThe Behavioral Shift: Why Trusted Relationships Are the Newest Attack SurfaceAre SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM DataCoChat Launches AI Collaboration Platform to Combat Shadow AI Latest News Attackers Could Exploit AI Vision Models Using Imperceptible Image ChangesVendor Says Daemon Tools Supply Chain Attack ContainedWebinar Today: Securing Identity Across Humans, Machines and AICisco Patches High-Severity Vulnerabilities in Enterprise ProductsGemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain AttackClaude AI Guided Hackers Toward OT Assets During Water Utility IntrusionAutonomous Offensive Security Firm XBOW Raises $35 MillionHerd Security Raises $3 Million for AI-Powered Training Platform Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveRemedio has appointed of Cynthia Stanton as Chief Marketing Officer.Jacki Monson has joined CVS Health as SVP, Deputy CISO.Gigi Schumm has been promoted to Chief Revenue Officer at Securonix.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agen","https:\u002F\u002Fwww.securityweek.com\u002Fai-coding-agents-could-fuel-next-supply-chain-crisis\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F12\u002FCode-3rd-Party-Risk.jpg","2026-05-07T13:00:00+00:00","2026-05-07T14:00:10.637542+00:00",9,[18,21,24,26,28,30],{"name":19,"type":20},"Anthropic","vendor",{"name":22,"type":23},"Claude Code","product",{"name":25,"type":23},"Gemini CLI",{"name":27,"type":23},"GitHub Copilot CLI",{"name":29,"type":23},"Cursor CLI",{"name":31,"type":20},"Adversa.AI","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":32,"icon":34,"name":35,"slug":36},null,"Supply Chain","supply-chain",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,58],{"type":55,"value":56,"context":57},"mitre_attack","T1195.001","Supply chain compromise via compromised software dependencies",{"type":59,"value":60,"context":61},"malware","TrustFall","Attack technique demonstrating malicious repo injection into AI coding agents"]