HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

One‑Keypress Remote Code Execution Vulnerability in Four AI Coding CLI Tools

Adversa AI’s TrustFall research reveals that Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI can be compromised by a malicious repository with a single ‘yes’ click, allowing attackers to execute arbitrary code and steal developer credentials. The flaw creates a supply‑chain risk for any organization that permits AI‑assisted coding.

LiveThreat™ Intelligence · 📅 May 08, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

AI Coding CLI Tools Vulnerable to One‑Keypress Remote Code Execution via Malicious Repositories

What Happened — Researchers at Adversa AI disclosed a design flaw (named “TrustFall”) affecting four popular command‑line AI coding assistants—Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI. A malicious repository can trigger the tools to launch attacker‑controlled helper programs simply by opening the folder and confirming a default‑yes trust prompt, resulting in immediate code execution with the developer’s privileges.

Why It Matters for TPRM

  • The vulnerability bypasses the usual “review‑before‑run” safeguard, exposing any downstream organization that integrates these tools into its development pipeline.
  • Compromise of a single developer workstation can lead to theft of SSH keys, cloud credentials, source code, and lateral movement across corporate networks.
  • The issue spans multiple vendors, creating a supply‑chain risk that can affect any third‑party software development engagement.

Who Is Affected — Technology & SaaS vendors, software development firms, MSPs that provide development environments, and any organization that allows developers to use AI‑assisted CLI tools.

Recommended Actions

  • Immediately audit CI/CD pipelines and developer workstations for usage of Claude Code, Gemini CLI, Cursor CLI, or Copilot CLI.
  • Enforce a policy to disable automatic trust prompts or require manual review of project configuration files before execution.
  • Apply vendor‑issued mitigations (e.g., updated dialogs, optional MCP disable) and monitor for patches.
  • Conduct credential rotation for any accounts that may have been accessed from compromised machines.

Technical Notes — The flaw exploits the Model Context Protocol (MCP), which allows AI assistants to invoke external helper programs defined in a project’s configuration file. Attackers supply two tiny JSON files: one defining a malicious helper script, the other auto‑approving it. Because the trust dialog defaults to “Yes,” the helper runs with the developer’s permissions, enabling credential theft, data exfiltration, and persistence. No CVE has been assigned yet; vendors are expected to release patches in the coming weeks. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/07/trustfall-ai-coding-cli-vulnerability-research/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →