TrustFall flaw enables one-click RCE

AI coding agents just picked up a very old security problem in a very new wrapper. A repository can now carry not just code you read and run later, but settings that tell your coding agent to start helper software right away. The news is a disclosure called TrustFall, published May 7 by Adversa AI, showing that four popular coding CLIs can be pushed into running attacker-controlled code after a folder-trust prompt. Anthropic’s Claude Code is the deepest example, but the pattern appears in Cursor CLI, Gemini CLI, and GitHub Copilot CLI too. (adversa.ai) ### What is the trick here? The trick is project-scoped configuration. These tools support Model Context Protocol, or MCP, which lets an agent connect to local helper servers for tools, docs, schemas, and other context. TrustFall uses repository files like `.mcp.json` and, in Claude Code’s case, `.claude/settings.json` to define an(adversa.ai) starts locally. (adversa.ai) ### Why does one click matter so much? Because the click does not feel like “run code.” In Adversa’s Claude Code example, the prompt is a generic trust check for the folder. Press Enter once, and an attacker-controlled MCP server can launch as an unsandboxed OS process with the developer’s privileges. No separate “do you want to ex(adversa.ai)ote code execution hiding inside a trust decision. (adversa.ai) ### Why is Claude Code the sharpest example? Turns out Claude Code shows a very specific regression. Adversa says older versions warned that `.mcp.json` could execute code and offered an option to proceed with MCP disabled. In v2.1+, that explicit warning was removed, while some dangerous settings still remain blocked at project sc(adversa.ai)ngerous code, but not the ones that can auto-start an MCP server. (adversa.ai) ### Is this only a Claude problem? No — that is the uncomfortable part. Adversa says it confirmed the same basic behavior across Claude Code, Cursor CLI, Gemini CLI, and Copilot CLI: accept the trust prompt, and project-defined MCP servers can run. The tools differ in how much warning they show, but the underlying pattern is shared(adversa.ai)ts in the same direction — agent runtimes are becoming execution surfaces, not just chat interfaces. (adversa.ai) ### Why does CI make this worse? Because CI often removes the human pause entirely. Adversa says headless runs can skip the trust dialog, and its proof of concept includes a CI variant that exfiltrates environment variables from a GitHub Actions runner. Basically, the same repo settings trick that needs one keypress on a laptop can become zero-click in automation. That moves this from “developer beware” into supply-chain territory. (adversa.ai) ### Haven’t we seen this before? Yes — and that is part of why this landed hard. Check Point disclosed Claude Code issues in February 2026 involving malicious project files, MCP servers, hooks, and API key theft; those bugs were patched. TrustFall argues the broader class is still alive because project configuration remains a code-execution path. Same neighborhood, slightly different front door. (research.checkpoint.com) ### So what should teams change? Treat agent config like executable content. Don’t let coding agents run on the host with broad secrets if a sandbox is possible. Review repo-scoped agent settings before trust is granted. Lock down CI secrets and assume cloned repositories can try to start helper processes. Audit logs matter too — if an MCP server starts, teams need to know when, from where, and with what privileges. (adversa.ai) ### Bottom line TrustFall matters because it breaks a familiar mental model. Developers think “trust this folder” means “let the tool read the repo.” In these agentic CLIs, it can also mean “start local code from the repo right now.” That gap — between what the user thinks they approved and what the system actually does — is where the risk lives. (adversa.ai)