[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_J8o_od_c5g4BQN7_z7TVB68oLjQ3hjgPnxPVNA8lXs":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"0f1eb923-c66a-42b8-adcc-38ea2a980ed1","GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks","guardfall-exposes-open-source-ai-coding-agents-to-decades-old-shell-injection-ri-b8aef6","The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from Adversa AI, which is named the bypass GuardFall, found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, \"Continue,\" was built to","Adversa AI researchers discovered GuardFall, a bypass that exploits a decades-old shell injection technique to circumvent safety checks in popular open-source AI coding agents. The vulnerability affects 10 of 11 tested agents (opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, and Hermes), allowing attackers to execute arbitrary commands with full account access when agents run with auto-execute enabled. Only Continue was built with proper defenses, using shell parsing that matches bash's actual behavior rather than simple text-based blocklists.","GuardFall bypass defeats shell injection protections in 10 of 11 AI coding agents.","GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Swati KhandelwalJun 30, 2026AI Security \u002F Software Supply Chain The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from Adversa AI, which is named the bypass GuardFall, found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, \"Continue,\" was built to defend against it. Why does it matter? These agents run shell commands with your full account access. Point one at a booby-trapped repository or software package, and a hidden instruction can quietly run a command that wipes files or steals the secrets your account can reach, from SSH keys and cloud credentials to anything sitting in your home folder. How does it get past the guard? Most of these agents try to stay safe by checking each command against a blocklist of dangerous patterns before running it. The flaw is that they check the command as plain text, while bash rewrites that text before it actually runs. The shell strips quotes and expands shortcuts, so the filter and the shell end up looking at two different things. The simplest example: a filter watching for rm sees nothing wrong with r''m, because to a text matcher those are different strings. Bash removes the empty quotes and runs rm anyway. The same idea works in other forms: a command hidden in base64 and piped into a shell, or ordinary tools like find and dd turned destructive with the right flag. The researchers call this not a bug but \"a dangerous convention and a class of problems,\" which is why adding more blocklist patterns fixes none of it. There is no single CVE to track or patch. Two things have to line up for an attack to land, and neither is exotic. First, the AI has to produce the malicious command. A blunt \"run rm -rf\" is usually refused, but the same command tucked inside normal-looking work, such as a build file or a tool's \"documentation\" reply, gets emitted as a routine step. Second, the agent has to be running on its own, with an auto-execute flag turned on or its container sandbox switched off, both of which are routine in automated pipelines. The live tests used Claude Sonnet 4.6. The other ten tools all left the gap open: opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, and the Hermes project, where the bug first surfaced and is documented in Hermes's own issue tracker. The tools in Adversa's survey together carried roughly 548,000 GitHub stars as of May 2026. Adversa demonstrated the full attack end-to-end against the production Plandex binary, and the same shape worked against eight others. It describes the work as lab research; no public exploitation has been reported. Continue, the one agent that held up, defends by reading the command the way bash will before deciding: it breaks the command into the same pieces the shell would, checks what actually runs, and keeps a hard list of destructive commands that are blocked outright. That protection held against every payload in Continue's default editor mode. Its command-line auto-run mode is weaker: a few payloads slipped through, though the most destructive ones still hit the hard block. Adversa calls the design portable and says re-implementing it is roughly a two-day job for an experienced engineer. What to do now None of the quick fixes is a complete answer, but they cut your exposure until a proper guard is in place: Run agents with $HOME pointed at a throwaway folder, so secrets like ~\u002F.ssh and ~\u002F.aws are out of reach. Turn off auto-execute flags such as --auto-exec, --auto-run, --auto-test, and dangerously-skip-permissions unless the job genuinely cannot pause for a human. Do not let agents run on pull requests from forks, the easy path from an attacker's file to your secrets. Treat config files shipped inside a repository, like .aider.conf.yml, as untrusted code; a malicious one can trigger the attack on the first accepted edit. GuardFall lands in the middle of a run of similar findings this year. Adversa's own TrustFall hit Claude Code, Cursor, Gemini CLI, and Copilot CLI, and a separate deny-rule bypass hit Claude Code. Attacks like AutoJack and Agentjacking turned poisoned content into commands that an agent runs with its owner's privileges. The common thread is simple: untrusted text keeps reaching a real shell before the guard understands what bash will actually run. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Security, Bash, Coding Agent, GitHub, Open Source, Shell Command, Software Supply Chain ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fguardfall-exposes-open-source-ai-coding.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgR59EidY6iMYv3s9bikjIxpj6_YTaUIesrZ3MyD9OqUbOk262aDW7bCArqr-IjT9CUQUSzE2F_knKKvs4bIJ2d9cuzZ-DKlmkW_Q3SO43HkA79kSVhCELVyKaStWliNZc9l1xxEGEFE5UmT1Abn6XMKTjk-rxBRTTtRAjb-jYDRKj-ODtIYy8dGQvbzDE\u002Fs1600\u002Fshell-ai.jpg","2026-06-30T14:26:15+00:00","2026-06-30T16:00:27.566452+00:00",8,[18,21,24,26,28,30],{"name":19,"type":20},"Adversa AI","vendor",{"name":22,"type":23},"Continue","product",{"name":25,"type":23},"Plandex",{"name":27,"type":23},"Open Interpreter",{"name":29,"type":23},"Cline",{"name":31,"type":32},"bash shell","technology","839da5c1-3c34-47e2-9499-f7201640e3ac",{"id":33,"icon":35,"name":36,"slug":37},null,"AI Security","ai-security",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",[55],{"type":56,"value":57,"context":58},"malware","GuardFall","Bypass technique exploiting shell injection in AI coding agents"]