Weaponize trusted repos, researchers show

AI coding assistants are starting to behave less like autocomplete and more like junior operators with keys to your machine. That is useful — but it changes what “safe to open” means. A repo used to be mostly inert until you ran something inside it. This week, Adversa AI showed that for several coding-agent CLIs, opening and trusting a repo can be enough to kick off code execution paths through project-defined MCP servers. (adversa.ai) ### What actually changed? The immediate news is the TrustFall research from Adversa AI, published May 7. It focuses on Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI. The core claim is simple: these tools can read agent configuration shipped inside a project and then start helper services the project points to. In the bad case, a malicious repo turns “I trust this folder” into “please run attacker-controlled code.” (adversa.ai) ### Why is a repo suddenly dangerous? Because agentic tools do more than read source files. They ingest instructions, settings, tool definitions, and workflow hints from inside the repo. That is the whole product idea — give the agent context so it can act. But turns out the same mechanism lets attackers hide instructions in pla(adversa.ai)” and argued the weakness is architectural, not just one vendor’s bug. (labs.cloudsecurityalliance.org) ### What is MCP doing here? MCP — Model Context Protocol — is basically the plug shape that lets an agent talk to external tools and services. A repo can define MCP servers for tasks like file access, browser control, or custom project actions. That is great for automation. The catch is that if the(labs.cloudsecurityalliance.org)us seam, especially when approval prompts are weak or inconsistent. (adversa.ai) ### Why does one click matter so much? Because developers already click “trust this folder” all day. That prompt was designed for a simpler era — mostly editor features, not semi-autonomous tools that can spawn processes. TrustFall argues that in Claude Code v2.1+, a warning about repo-defined MCP servers was removed, which made(adversa.ai) project’s helpers.” (adversa.ai) ### Why bring VS Code into this? Because Microsoft is moving the platform in the same general direction — more capable agents, more tool access, more observability. VS Code 1.119, released May 6, added browser-tab sharing with agents and OpenTelemetry tracing for agent sessions. Microsoft says browser access is explicit, not aut(adversa.ai)tting deeper access to the editor, the browser, and the workflow around them. (code.visualstudio.com) ### Does the browser feature make this worse? Not by itself. Microsoft put consent gates around it, and browser-agent pages default to private in-memory sessions in the browser tools guide. But every new capability expands the blast radius if trust boundaries are fuzzy. An agent that can edit code, inspect a live app, read page state, and call external tools is much more(code.visualstudio.com) the risk. (code.visualstudio.com) ### Is this just a lab problem? Probably not. This year has already produced a string of adjacent incidents — prompt injection against issue-triage bots, malicious packages aimed at AI coding workflows, and research on stale trust that survives config changes. The pattern is that attackers do not need to break the model itself. They just need to poison the context the model is trained to obey. (securityweek.com) ### What should teams do now? Treat agent config like executable code. Review repo-scoped MCP settings, rules files, and agent metadata in code review. Separate browsing, shell, and secret access. Sandbox agents where possible. And do not let “trusted repo” mean “trusted to launch tools.” That shortcut made sense (securityweek.com)er — don’t assume opening a repo is meaningfully different from running one. (adversa.ai)