GuardFall Shell Injection Bypass Affects Most Open-Source AI Coding Agents
Researchers at Adversa AI disclosed GuardFall, a shell-interpretation bypass that affects 10 of 11 surveyed open-source AI coding and computer-use agents, allowing malicious commands to slip past safety filters. The flaw stems from agents checking raw command text while bash later rewrites and evaluates that text through expansion, substitution, and quote handling, enabling decades-old evasion techniques such as quoted token splitting, $IFS expansion, command substitution, and encoded pipelines. Adversa reported successful end-to-end exploitation against the production Plandex binary and said vulnerable agents include Hermes, opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, and SWE-agent, while Continue was the only surveyed tool found to substantially mitigate the issue through structural command parsing and recursive analysis.
The attack becomes especially dangerous when an agent is induced by untrusted content—such as poisoned READMEs, Makefiles, MCP server responses, package metadata, or repository configuration files—to emit commands that are then auto-executed on the user’s host. Adversa warned that successful exploitation could expose SSH keys, cloud credentials, and files in $HOME, and noted that sandbox protections can disappear when agents are run in documented local-host modes. No public in-the-wild exploitation was reported, but researchers urged users to disable auto-execute features, isolate or redirect $HOME, avoid running agents on forked pull requests, audit repository-shipped configs, and adopt tokenize-and-canonicalize command enforcement instead of regex or raw-string blocklists.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Adversa demonstrates end-to-end exploitation against Plandex
As part of its research, Adversa demonstrated end-to-end exploitation against the production Plandex binary using the GuardFall technique. The reporting states this was laboratory research and that no public exploitation had been reported.
Adversa surveys 11 AI agents and finds 10 vulnerable to GuardFall
Adversa AI surveyed 11 popular open-source AI coding and computer-use agents and found that 10 were vulnerable to GuardFall shell-guard bypasses. Continue was identified as the only surveyed tool whose default evaluator substantially mitigated most tested bypass classes.
Adversa publicly discloses the GuardFall shell-guard bypass class
Adversa AI publicly disclosed GuardFall, a class of shell-interpretation bypasses affecting AI coding agents and computer-use agents that execute shell commands on a user's host. The disclosure explained that many agents inspect raw command strings while bash later rewrites and evaluates them, enabling obfuscated commands to evade safety checks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Shell injection flaw found in 10 of 11 open-source AI agents | brief | SC Media
scworld.com
Open sourceGuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents
securityaffairs.com
Open sourceGuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks
thehackernews.com
Open sourceAI coding agents vulnerability: GuardFall shell injeciton | Adversa AI
adversa.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


