Developers using the latest version of Claude Code could inadvertently execute malicious code on their systems with a single keypress, or none in continuous integration environments, due to inadequate warnings when opening untrusted repositories.
That’s according to researchers at Adversa AI, who developed a one-click, proof-of-concept exploit dubbed “TrustFall” that shows how an attacker could take control of a developer’s system via a malicious repository with no visible indication of compromise.
Anthropic itself however has described the issue identified by Adversa AI as outside its threat model and perceived Anthropic’s trust dialog as offering sufficient warning to users, Adversa AI said.
A Straightforward Path?
According to Adversa, all a threat actor would need to do to pull off an attack is create a repository that includes a malicious MCP server and configuration settings that auto-approve it to run. When a developer clones or opens the repo in Claude Code and presses Enter on what appears to be a routine security check, the AI coding tool launches the attacker-controlled code with the developer’s full system privileges and no further prompting.
The payload can potentially read local files, including secrets, SSH keys, and tokens; access other projects; install backdoors; and establish a command-and-control connection. In a CI/CD environment, the same attack would unfold with no human interaction at all.
“The impact is full machine compromise, not just project access,” Adversa AI said in a report this week. “MCP servers execute as native OS processes with the full privileges of the user running Claude Code.” That means they aren’t sandboxed or confined in any way. “The payload runs the moment the MCP server process starts,” Adversa said.
The problem has to do with a trust dialog change that Anthropic introduced in Claude Code version 2.1, which removed warning language that previously made the risk more visible to users. That change has turned a routine developer action of cloning or reviewing a repo into a high-risk action.
“The core issue has two parts,” explains Rony Utevsky, lead researcher at Adversa AI. The first is when a developer imports a project into Claude Code, the project itself can automatically approve and immediately launch an MCP server. That server then runs with the developer’s full user privileges, with no sandbox. “One press of Enter, and the project executes whatever it wants,” he says.
Ambiguous Warning
Unfortunately, Claude Code’s warning on this is less than explicit, he says. “The dialog users see is a simple ‘Yes, I trust this folder.’ Most developers don’t realize ‘trusting’ hands over that much power,” he says. Earlier versions of Claude Code prior to 2.1 warned about MCP execution explicitly and offered an option to proceed with MCP servers disabled. Both are no longer present, Utevsky says.
The security researcher says the TrustFall issue that Adversa AI identified is the fourth exploitable vulnerability in Claude Code involving a malicious repository abusing project-scoped settings to silently change how the tool behaves on a developer’s machine. The other three vulnerabilities include CVE-2025-59536, CVE-2026-21852and CVE-2026-33068, all of which Anthropic has patched, but without addressing the underlying cause, Utevsky notes. “The fourth issue we describe, which is the same class of bug, was declined by Anthropic’s security team as consent given via the trust dialog,” he says. “That’s the pattern we’re flagging: The underlying class isn’t being addressed, only individual instances.”
Adversa identified three configuration settings that an attacker could use in their malicious repos to trigger arbitrary code execution on a developer’s system, without an explicit prior warning from Claude Code. One of them uses a setting that would automatically approve a malicious MCP server to run the moment the user accepts Claude Code’s broad folder trust prompt. The second involves planting the payload directly in the configuration file making it harder for security scanners to flag, and the third pre-authorizes specific tool calls through project settings, enabling code execution without further user interaction, Adversa said.
“In our opinion, the language of the new warning dialog downplays the decision’s importance and the severity of the consequences, while providing no information about the project contents,” Utevsky says. “It also defaults to ‘Trust,’ so a reflexive press of Enter leads to unsafe behavior.”
Claude Code’s handling of dangerous settings is also internally inconsistent, he believes. Other configuration settings, such as bypassPermissionsinvoke a much more alarming dialog with stronger language, and it defaults to “No, exit.” “The same product treats less dangerous settings more carefully than this one,” Utevsky says.
Not a Vulnerability?
Anthropic’s position is that unlike previous vulnerabilities that allowed malicious code execution before a trust dialog even appeared, the issue that Adversa has identified involves code execution that happens only after the user has consented to the project. “Whether this meets Anthropic’s threshold for a vulnerability is their call,” the security vendor noted in its report. “Whether users are making an informed trust decision under the v2.1+ dialog, in our view, is not a close question. They are not.”
Reducing exposure to the AI agent threats like these, according to Adversa, boils down to tightening controls across developer endpoints and CI/CD pipelines, and bolstering overall visibility into how tools like Claude Code are used.
On developer systems, organizations should focus on inspecting project configurations and monitoring for unexpected behavior when new repositories are opened. Organizations should make sure they validate projects and use behavioral monitoring to detect unusual processes or activity initiated by development tools In CI environments, the most effective safeguard is to avoid running the tool automatically on untrusted code, Adversa said. “Inspecting repo settings, automation actions, and project scaffolding isn’t technically complex, but it takes time and discipline,” Utevsky says. “It’s also unavoidable now, given how common supply chain attacks and intentionally malicious open source packages have become.”
