By ByteBot
Two newly disclosed attack techniques — TrustFall and SymJack — show that the approval dialogs in AI coding agents provide considerably less protection than developers assume. Cloning a malicious repository and pressing Enter once is all it takes for an attacker to execute arbitrary code on your machine, steal credentials, and compromise your CI/CD pipeline. The tools affected include Claude Code, Cursor, GitHub Copilot CLI, Gemini CLI, Grok Build, and OpenAI Codex — essentially every AI coding agent in widespread use.
TrustFall: One Enter Keypress, Full System Access
Disclosed on May 7, 2026 by Lyrie Research and Adversa AI, TrustFall exploits how AI coding agents handle project-level MCP (Model Context Protocol) configuration files. MCP lets agents connect to external helper programs — databases, APIs, custom tools. Agents read a .mcp.json file included in a project and automatically start whatever servers it points to.
The attack is straightforward: an attacker creates a GitHub repository containing a .mcp.json that points to an attacker-controlled server. A developer clones the repo and opens it in Claude Code, Cursor, or Gemini CLI. A dialog appears asking “Do you trust this folder?” It defaults to Yes. The developer presses Enter. The malicious MCP server starts executing with the developer’s full privileges.
The critical failure here is not that the dialog exists — it’s what the dialog doesn’t say. Earlier versions of Claude Code explicitly warned that .mcp.json could execute code and offered an option to proceed with MCP disabled. That warning was removed in a prior update. The current dialog gives no indication that pressing Enter might kick off an attacker-controlled process. Adversa AI’s full TrustFall analysis documents the regression in detail.
SymJack: The Prompt That Lies to Your Face
SymJack, also from Adversa AI, takes a different approach. A malicious repository contains a symlink disguised as an ordinary file. The AI agent is instructed to copy it — and asks for approval. You approve what looks like a harmless file operation. What actually happens: the symlink resolves to the agent’s own configuration files, overwriting them with attacker-controlled content. On next restart, the agent loads the poisoned config and executes whatever the attacker placed there.
The approval prompt shows the source filename, not where the symlink actually points. You are, quite literally, approving something you cannot see. This attack hit Claude Code, Gemini CLI, Antigravity CLI, Cursor, GitHub Copilot CLI, Grok Build, and OpenAI Codex — six agents, same technique, all compromised. That’s not a coincidence; it’s evidence that the flaw is architectural. No tool resolved the symlink before showing the approval dialog. Adversa AI’s SymJack writeup details how the same chain breaks every agent tested.
The CI/CD Problem Is Worse
Both attacks become significantly more dangerous in CI/CD pipelines. When Claude Code runs via Anthropic’s official GitHub Action, it operates in headless mode — there is no terminal, and there is no dialog. A pull request from an external contributor can include a malicious .mcp.json file that executes the moment the pipeline runs. The CI runner’s credentials — AWS keys, GitHub tokens, deployment secrets — are fully exposed with no user interaction required at all.
This isn’t hypothetical risk. The Megalodon supply chain attack in May 2026 compromised 5,561 GitHub repositories in a six-hour window using similar credential theft patterns. GitGuardian’s 2026 data shows AI-assisted commits leak secrets at twice the baseline rate. SecurityWeek’s analysis frames AI coding agents as the next major supply chain attack surface — and the evidence supports that read.
Vendor Response: Mostly Silence
Anthropic reviewed the TrustFall report and declined to fix it, stating that accepting the trust prompt constitutes consent to the full project configuration. The Register ran the story under a headline that captured the stance well: “Anthropic response to 1-click pwn: Shouldn’t have clicked OK.” Anthropic did quietly update the approval flow to show resolved paths — a genuine improvement — but the core issue stands.
Most other vendors have not issued public patches or statements. Given that SymJack is architectural rather than implementation-specific, a real fix would require every agent to resolve symlinks before displaying approval prompts, and to surface MCP execution warnings before the trust dialog. That’s a design change, not a patch. Microsoft’s security team acknowledged the class of vulnerability in a May 2026 post, though without committing to a timeline.
What Developers Should Do Now
While vendors sort out their threat models, here is what you can do today:
- Inspect
.mcp.jsonin every repository before trusting it. Open the file manually and verify every server entry before running your agent. - Run AI agents in isolated environments. Use containers or VMs for AI-assisted work on unfamiliar repos. Keep live credentials out of reach.
- Never store production credentials on the same machine where AI agents run. Use short-lived, scoped tokens from a credential vault.
- Lock down CI/CD pipelines. Restrict external contributors from triggering agent-based workflows. Require maintainer approval before any agent task runs on a PR.
- Consider MCP gateways. Tools like AgentTrust intercept tool calls before execution, adding an enforcement layer that the agents themselves currently lack. The OWASP Gen AI Security Project’s MCP guidance is a useful starting point for production hardening.
The Bigger Picture
TrustFall and SymJack are the first major demonstrations of a threat class that will only grow. AI coding agents run with broad privilege, sit between developers and their most sensitive assets, and are being integrated into CI/CD pipelines at speed. Their security model — “a human will click approve” — was always fragile. It turns out the human can’t even tell what they’re approving.
Treating these as isolated bugs misses the point. The approval model itself is broken by design. Vendors who decline to fix it are making a policy choice that shifts risk entirely onto developers. Until that changes, the safeguard is yours to build.
