“Both spawn attacker-defined MCP servers as OS processes with the user’s full privileges the moment the folder trust prompt is accepted,” reports Adversa. The result could open a long-lived C2. Alternatively, the payload could be embedded inline in .mcp.json, leaving no script file on disk for a reviewer or static scanner to flag.Adversa describes several ways this process can be abused, but potentially the most disastrous is when Claude Code is used in the CICD process. If the user’s task is to produce a new tool for widespread distribution, it can kick off a brand new supply chain attack.“Developers of widely used tools are a realistic prime target,” Alex Polyakov, co-founder and CTO at Adversa.AI, toldSecurityWeek. “Claude Code is installed on most developer machines and devs routinely clone unfamiliar repos and run Claude against them, so this attack is very plausible if the code is destined for the user’s CICD.” The attack’s payload would read environment variables, deploy keys, signing certificates, and any credentials available to the runner. The runner would then quietly include details into the build process.“Same blast-radius pattern asSalesloft Drift, with the initial-access bar collapsed to ‘clone and hit Enter’, added Polyakov.”Adversa reported its findings to Anthropic, but for now at least, Anthropic has declined to do anything. Its position is if the user clicks “Yes, I trust this folder”, consent to the use of everything inside that folder has been given; and it is not up to Anthropic to interfere. But the user is generally unaware of what is really in the folder, and it is debatable whether uninformed consent is legal consent.“Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.”The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository.It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
Adversa describes several ways this process can be abused, but potentially the most disastrous is when Claude Code is used in the CICD process. If the user’s task is to produce a new tool for widespread distribution, it can kick off a brand new supply chain attack.“Developers of widely used tools are a realistic prime target,” Alex Polyakov, co-founder and CTO at Adversa.AI, toldSecurityWeek. “Claude Code is installed on most developer machines and devs routinely clone unfamiliar repos and run Claude against them, so this attack is very plausible if the code is destined for the user’s CICD.” The attack’s payload would read environment variables, deploy keys, signing certificates, and any credentials available to the runner. The runner would then quietly include details into the build process.“Same blast-radius pattern asSalesloft Drift, with the initial-access bar collapsed to ‘clone and hit Enter’, added Polyakov.”Adversa reported its findings to Anthropic, but for now at least, Anthropic has declined to do anything. Its position is if the user clicks “Yes, I trust this folder”, consent to the use of everything inside that folder has been given; and it is not up to Anthropic to interfere. But the user is generally unaware of what is really in the folder, and it is debatable whether uninformed consent is legal consent.“Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.”The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository.It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
“Developers of widely used tools are a realistic prime target,” Alex Polyakov, co-founder and CTO at Adversa.AI, toldSecurityWeek. “Claude Code is installed on most developer machines and devs routinely clone unfamiliar repos and run Claude against them, so this attack is very plausible if the code is destined for the user’s CICD.” The attack’s payload would read environment variables, deploy keys, signing certificates, and any credentials available to the runner. The runner would then quietly include details into the build process.“Same blast-radius pattern asSalesloft Drift, with the initial-access bar collapsed to ‘clone and hit Enter’, added Polyakov.”Adversa reported its findings to Anthropic, but for now at least, Anthropic has declined to do anything. Its position is if the user clicks “Yes, I trust this folder”, consent to the use of everything inside that folder has been given; and it is not up to Anthropic to interfere. But the user is generally unaware of what is really in the folder, and it is debatable whether uninformed consent is legal consent.“Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.”The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository.It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
“Same blast-radius pattern asSalesloft Drift, with the initial-access bar collapsed to ‘clone and hit Enter’, added Polyakov.”Adversa reported its findings to Anthropic, but for now at least, Anthropic has declined to do anything. Its position is if the user clicks “Yes, I trust this folder”, consent to the use of everything inside that folder has been given; and it is not up to Anthropic to interfere. But the user is generally unaware of what is really in the folder, and it is debatable whether uninformed consent is legal consent.“Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.”The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository.It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
Adversa reported its findings to Anthropic, but for now at least, Anthropic has declined to do anything. Its position is if the user clicks “Yes, I trust this folder”, consent to the use of everything inside that folder has been given; and it is not up to Anthropic to interfere. But the user is generally unaware of what is really in the folder, and it is debatable whether uninformed consent is legal consent.“Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.”The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository.It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
“Whether this meets Anthropic’s threshold for a vulnerability is their call. Whether users are making an informed trust decision under [this] dialog, in our view, is not a close question. They are not.”The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository.It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
The report notes the issue could be solved by Anthropic blocking enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allowing these keys only from scopes structurally outside the repository.It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
It also provides details on how users can mitigate the issues without waiting on Anthropic. For example, one recommendation specific to the CICD issue above, is “If a pipeline genuinely needs Claude Code non-interactively, gate it on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.”The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
The entire issue is not, however, limited to the use of Claude Code. “We checked whether this was only a Claude Code issue or something more general,” explains Serge Malenkovich, communications advisor at Adversa. “We ran the same chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four behave the same way: a malicious repo can auto-approve and spawn an MCP server the moment the user accepts the folder trust prompt, and all four default to ‘Yes/Trust’. One Enter keypress is enough on any of them.”This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
This, he added, reframes the story. “It’s not a Claude Code issue; it’s a convention shared across agentic coding CLIs.”Learn More at the AI Risk Summit at Half Moon BayRelated:Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsRelated:Critical Vulnerability in Claude Code Emerges Days After Source LeakRelated:Hackers Weaponize Claude Code in Mexican Government CyberattackRelated:Claude Code Flaws Exposed Developer Devices to Silent Hacking
Source: SecurityWeek
