Adversa.AI researchers discovered that AI coding agents such as Claude Code and others can be exploited by attackers who place malicious code in public repositories. When a developer uses these agents, the tool scans repositories and may select and execute malicious code if the user accepts the trust prompt, which defaults to 'trust'. This results in immediate arbitrary code execution with the developer's full OS privileges, potentially spawning long-lived command-and-control servers or embedding malicious payloads that evade static analysis. The vulnerability is particularly dangerous when these tools are integrated into CI/CD pipelines, risking widespread supply chain attacks. Anthropic, the vendor of Claude Code, has declined to patch the issue, arguing that user consent is required and sufficient. The problem extends to multiple AI coding CLIs, indicating a systemic risk in agentic AI coding tools.

Successful exploitation allows attackers to execute arbitrary code on developer machines with full user privileges, potentially establishing persistent command-and-control infrastructure and injecting malicious payloads into software builds. This can lead to stealthy supply chain compromises affecting downstream users of compromised software. The attack requires minimal user interaction—just accepting the default trust prompt—and can compromise CI/CD pipelines, amplifying the blast radius. No known exploits are reported in the wild yet. The vendor has not issued an official fix, leaving users exposed if they accept untrusted folders.

No official patch or fix is currently available from the vendor Anthropic, which has declined to intervene citing user consent. Users should exercise extreme caution when accepting the trust prompt in AI coding agents, especially when cloning unfamiliar repositories. Specific mitigations include restricting use of AI coding agents in CI/CD pipelines to branches where commits have been reviewed and merged, not arbitrary pull requests. Users can also block or restrict settings like enableAllProjectMcpServers and enabledMcpjsonServers from project repositories by configuring these keys only outside the repository scope. Monitoring and controlling the use of these AI agents in development workflows is recommended until an official fix or vendor guidance is provided.