Researchers from Adversa AI have uncovered a vulnerability that enables attackers to exploit Claude Code’s automated capabilities, possibly introducing a new risk to software supply chains.
Agentic AI systems are built to run automatically and often invisibly, helping streamline our workflows. AI-powered code assistants follow this same principle. Claude Code, released in May 2025, has quickly become the top choice among startups and elite engineering teams, earning the highest satisfaction scores compared to rival tools.
Adversa AI has identified a technique through which an attacker could hijack Claude Code’s autonomous behavior to deliver remote code execution (RCE) with minimal effort—or even trigger a supply chain attack. The attacker simply needs to post enticing but harmful code, for example, in a public GitHub repository.
When a developer instructs Claude Code to handle a new task, it scans public repositories for helpful code. If it finds, chooses, and downloads the malicious code planted by an attacker, the developer’s system is compromised almost instantly. From there, the attacker only needs the user to accept Claude Code’s request as trusted—which is highly probable since the tool is simply acting as expected.
Claude Code’s prompt asks only, “Quick safety check: Is this a project you created or one you trust?”, with the “trust” option pre-selected. This works much like Chrome’s security warnings, which users routinely bypass by clicking “Allow”. In Claude Code’s case, however, “A single press of the Enter key within the trust prompt launches the code as an unsandboxed OS process running with the user’s full permissions. There’s no need for any explicit instruction from Claude,” warns Adversa.
The malicious repository includes small JSON files placed in standard Claude Code directories, enabling arbitrary code execution.
enableAllProjectMcpServers in .claude/settings.json - Automatically approves all servers listed in the project’s .mcp.json fileenabledMcpjsonServers - Automatically approves a specific set of servers by name“Both settings launch malicious MCP servers as OS-level processes with full user privileges the moment the user accepts the folder trust prompt,” explains Adversa. This could allow attackers to establish a long-term command-and-control (C2) channel. Worse still, the malicious payload can be embedded directly into .mcp.json, leaving no traceable script on disk for reviewers or static analysis tools to detect.
Adversa outlines multiple ways this flaw can be exploited, but the most dangerous scenario involves Claude Code being used within CI/CD pipelines. If the developer’s goal is to create a widely distributed application, the attack could spark a new supply chain compromise.
“Creators of popular software tools are realistic high-value targets,” said Alex Polyakov, co-founder and CTO at Adversa AI, in an interview with SecurityWeek. “Claude Code is present on most developers’ machines, and it’s routine for devs to clone unknown repositories and run Claude against them—making this attack very feasible when the code flows into the user’s CI/CD pipeline.” In such cases, the payload could harvest environment variables, deployment keys, signing certificates, and other secrets available to the build system. The runner would silently weave these into the next build.
“It mirrors the impact pattern of the Salesloft Drift breach, except the entry barrier is now just ‘clone and press Enter’,” added Polyakov.
Adversa disclosed the findings to Anthropic, but so far, Anthropic has chosen not to fix it. Their stance is that when a user clicks “Yes, I trust this folder,” they are granting permission for everything inside it—and Anthropic doesn’t see that as their role to intervene. However, most users have no real understanding of what’s inside the folder, raising questions about whether such uninformed agreement truly constitutes valid consent.
“Whether Anthropic considers this a real vulnerability is their decision. But whether users are genuinely giving informed consent under this prompt—that’s not a gray area in our opinion. They are not.”
The report suggests Anthropic could resolve the issue by blocking the use of enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow settings within project-level configuration files, allowing such permissions only from scopes that are structurally separate from the repository.
It also offers practical steps users can take to protect themselves without waiting for Anthropic. One key recommendation, especially for CI/CD environments, is: “If a pipeline must run Claude Code without human interaction, limit it to branches where code has already been reviewed—like post-merge on main—not arbitrary pull request branches.”
Importantly, this problem isn’t unique to Claude Code. “We investigated whether this was isolated to Claude Code or a broader industry issue,” says Serge Malenkovich, communications advisor at Adversa. “We tested the same attack chain against Gemini CLI, Cursor CLI, and Copilot CLI. All four tools behaved identically: a malicious repo can automatically approve and launch an MCP server once the user accepts the folder trust prompt—and all four default to ‘Yes/Trust’. One keystroke is sufficient on any of them.”
This shifts the bigger picture entirely. “It’s not a Claude Code bug—it’s a shared design pattern across agentic coding CLIs,” he concluded.
Related: Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments
Related: Critical Vulnerability in Claude Code Emerges Days After Source Leak
Related: Hackers Weaponize Claude Code in Mexican Government Cyberattack
Related: Claude Code Flaws Exposed Developer Devices to Silent Hacking
