TrustFall: Researchers Show How One Click Could Compromise Major AI Coding Tools
Key Takeaways
- ▸A critical vulnerability in four major AI coding assistants allows instant code execution via malicious project configuration files read by the Model Context Protocol (MCP)
- ▸Anthropic previously offered a safer option to trust projects with MCP disabled, but removed it from Claude Code version 2.1 and later
- ▸The attack requires only two small JSON files and can exfiltrate credentials, SSH keys, and environment variables before the AI performs any reasoning
Summary
Security researchers at Adversa AI have disclosed a critical vulnerability in four major AI coding assistants—Claude Code from Anthropic, Gemini CLI from Google, Cursor CLI, and GitHub's Copilot CLI—that allows malicious code execution through configuration files. The vulnerability exploits the Model Context Protocol (MCP), a feature that lets AI assistants invoke external helper programs. Each tool reads MCP configuration from project folders and presents a trust dialog that, in most cases, defaults to "yes," meaning a developer can compromise their machine by cloning a malicious repository and pressing Enter.
The attack is remarkably simple and requires only two small JSON files. One defines a helper program with a one-line script that downloads and executes a payload from the internet, while the other tells the assistant to auto-approve that helper. The malicious helper program can then read SSH keys, cloud credentials, shell history, and source code from other projects before the AI has even begun reasoning. Notably, an earlier version of Claude Code's trust dialog warned explicitly about code execution through MCP and offered an option to trust the folder with MCP disabled—but Anthropic removed that safer option in version 2.1 and later.
The vulnerability is particularly severe in continuous integration environments. When Claude Code runs in headless mode through the official Anthropic GitHub Action on a CI/CD server, the trust dialog never appears. A malicious pull request from an outside contributor can ship the attack files, and when the pipeline runs, the helper program immediately executes with access to the runner's environment variables, deploy keys, signing certificates, and cloud tokens. Adversa AI has published a working proof-of-concept demonstrating exfiltration of runner environment variables to an attacker-controlled URL.
- In CI/headless mode, trust dialogs are eliminated entirely, leaving GitHub Actions vulnerable to pull requests containing malicious MCP configuration
- All four tools (Claude Code, Gemini CLI, Cursor CLI, Copilot CLI) share similar vulnerabilities despite different UI approaches to the trust prompt
Editorial Opinion
The TrustFall vulnerability exposes a troubling disconnect between the intended use cases of AI coding tools and their security posture. Anthropic's decision to remove the explicit MCP-safe option is particularly concerning, suggesting a preference for convenience over cautious defaults. Given that these tools are routinely pointed at untrusted code—the entire premise of cloning unfamiliar repositories—the industry needs to reconsider whether trust dialogs defaulting to 'yes' are acceptable, especially in automated CI environments where human review is bypassed entirely.
