Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
ai-platform-securityopen-source-dependency-vulnerabilityinitial-access-methodcredential-access-method

GuardFall Shell Injection Bypass Affects Most Open-Source AI Coding Agents

Updated 4h agoFirst seen Jul 1, 20264 sources

Researchers at Adversa AI disclosed GuardFall, a shell-interpretation bypass that affects 10 of 11 surveyed open-source AI coding and computer-use agents, allowing malicious commands to slip past safety filters. The flaw stems from agents checking raw command text while bash later rewrites and evaluates that text through expansion, substitution, and quote handling, enabling decades-old evasion techniques such as quoted token splitting, $IFS expansion, command substitution, and encoded pipelines. Adversa reported successful end-to-end exploitation against the production Plandex binary and said vulnerable agents include Hermes, opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, and SWE-agent, while Continue was the only surveyed tool found to substantially mitigate the issue through structural command parsing and recursive analysis.

The attack becomes especially dangerous when an agent is induced by untrusted content—such as poisoned READMEs, Makefiles, MCP server responses, package metadata, or repository configuration files—to emit commands that are then auto-executed on the user’s host. Adversa warned that successful exploitation could expose SSH keys, cloud credentials, and files in $HOME, and noted that sandbox protections can disappear when agents are run in documented local-host modes. No public in-the-wild exploitation was reported, but researchers urged users to disable auto-execute features, isolate or redirect $HOME, avoid running agents on forked pull requests, audit repository-shipped configs, and adopt tokenize-and-canonicalize command enforcement instead of regex or raw-string blocklists.

Share:
GuardFall Shell Injection Bypass Affects Most Open-Source AI Coding Agents
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

3 events from the most recent confirmed update back to the earliest known activity.

3 EVENTS
Jun 30, 20262d ago

Adversa demonstrates end-to-end exploitation against Plandex

As part of its research, Adversa demonstrated end-to-end exploitation against the production Plandex binary using the GuardFall technique. The reporting states this was laboratory research and that no public exploitation had been reported.

GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks

Adversa surveys 11 AI agents and finds 10 vulnerable to GuardFall

Adversa AI surveyed 11 popular open-source AI coding and computer-use agents and found that 10 were vulnerable to GuardFall shell-guard bypasses. Continue was identified as the only surveyed tool whose default evaluator substantially mitigated most tested bypass classes.

AI coding agents vulnerability: GuardFall shell injeciton | Adversa AI

Adversa publicly discloses the GuardFall shell-guard bypass class

Adversa AI publicly disclosed GuardFall, a class of shell-interpretation bypasses affecting AI coding agents and computer-use agents that execute shell commands on a user's host. The disclosure explained that many agents inspect raw command strings while bash later rewrites and evaluates them, enabling obfuscated commands to evade safety checks.

AI coding agents vulnerability: GuardFall shell injeciton | Adversa AI
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

40 LINKEDOpen in app
Affected products
16 linked
Roo CodeClineOpenhandsContinueHermes-AgentAiderBashClaude CodeVisual Studio CodeCursorDockerNpmCursorCopilot CliCrewaiGemini-Cli
Organizations
24 linked
BlockRoo CodeClineOpencodeContinueNous ResearchOpenhandsSSTRoo Code IncPlandexSWE AgentPlandex AIOpen InterpreterAider AIAll Hands AIGooseAiderAnthropicLinkedinXGitHubGoogleSecurity AffairsAdversa AI
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.