Artificial Intelligence AI Coding Agents Could Fuel Next Supply Chain Crisis “TrustFall” attack shows how AI coding agents can be manipulated into launching stealthy supply chain compromises. By Kevin Townsend | May 7, 2026 (9:00 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Researchers from Adversa.AI have discovered an issue that allows attackers to abuse Claude Code’s automation, potentially creating a new supply chain threat. Agentic AI is designed to operate automatically and usually invisibly to make our work easier and more efficient. AI code generators are no different. Claude Code (launched in May 2025) has become the fastest-growing tool in the startup and high-end engineering space, with the highest user satisfaction rating against its competitors. Adversa AI has discovered a way in which its agentic behavior can be manipulated by an attacker into providing a one-click RCE, or even a potential supply chain threat. All the attacker needs to do is place attractive but malicious code as, say, a GitHub repo. When a developer uses Claude Code for a new task, it checks available repositories for what will assist in the task. If it locates, selects and downloads the malicious prepared code, it is almost immediately game over for the developer. All the attacker now needs is for the user to accept Claude Code’s usage as trusted – which the user is likely to do since the agent is just doing what it is supposed to do. Claude Code’s acceptance dialog simply reads, “Quick safety check: Is this a project you created or one you trust?”, with the default set to ‘trust’. It’s little different in practice to Chrome’s browser security warning – which almost everyone almost always ‘allows’. Similarly in Claude Code, but “One Enter keypress on the trust dialog spawns the server as an unsandboxed OS process with the developer’s full privileges. No tool call from Claude is required,” reports Adversa. The cloned repository contains small JSON files in standard Claude Code locations, providing an arbitrary code execution. Advertisement. Scroll to continue reading. enableAllProjectMcpServers in .claude/settings.json - auto-approves every server defined in the project’s .mcp.json enabledMcpjsonServers auto-approves a named subset “Both spawn attacker-defined MCP servers as OS processes with the user’s full privileges the moment the folder trust prompt is accepted,” reports Adversa. The result could open a long-lived C2. Alternatively, the payload could be embedded inline in .mcp.json, leaving no script file on disk for a reviewer or static scanner to flag. Adversa describes several ways this process can be abused, but potentially the most disastrous is when Claude Code is used in the CICD process. If the user’s task is to produce a new tool for widespread distribution, it can kick off a brand new supply chain attack. “Developers of widely used tools are a realistic prime target,” Alex Polyakov, co-founder and CTO at Adversa.AI, told SecurityWeek . “Claude Code is installed on most developer machines and devs routinely clone unfamiliar repos and run Claude against them, so this attack is very plausible if the code is destined for the user’s CICD.” The attack’s payload would read environment variables, deploy keys, signing certificates, and any credentials available to the runner. The runner would then quietly include details into the build process. “Same blast-radius pattern as Salesloft Drift , with the initial-access bar collapsed to ‘clone and hit Enter’, added Polyakov.” Adversa reported its findings to Anthropic, but for now at least, Anthropic has declined to do anything. Its position is if the user clicks “Yes, I trust this folder”, consent to the use of everything inside that folder has been given; and it is not up to Anthropic to interfere. But the user is generally unaware of what is really in the folder, and it is debatable whether uninformed consent is legal consent. “Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.” The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository. It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.” The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.” This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.” Learn More at the AI Risk Summit at Half Moon Bay Related : Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments Related : Critical Vulnerability in Claude Code Emerges Days After Source Leak Related : Hackers Weaponize Claude Code in Mexican Government Cyberattack Related : Claude Code Flaws Exposed Developer Devices to Silent Hacking Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Hacker Conversations: Joey Melo on Hacking AI Anthropic Unveils Claude Security to Counter AI-Powered Exploit Surge AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours Cyber Insurance Data Gives CISOs New Ammo for Budget Talks Sevii Launches Cyber Swarm Defense to Make Agentic AI Security Costs Predictable The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data CoChat Launches AI Collaboration Platform to Combat Shadow AI Latest News Vendor Says Daemon Tools Supply Chain Attack Contained Webinar Today: Securing Identity Across Humans, Machines and AI Cisco Patches High-Severity Vulnerabilities in Enterprise Products Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion Autonomous Offensive Security Firm XBOW Raises $35 Million Herd Security Raises $3 Million for AI-Powered Training Platform Iranian APT Intrusion Masquerades as Chaos Ransomware Attack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Remedio has appointed of Cynthia Stanton as Chief Marketing Officer. Jacki Monson has joined CVS Health as SVP, Deputy CISO. Gigi Schumm has been promoted to Chief Revenue Officer at Securonix. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email