The Intake — Sunday, May 31, 2026

If you've been treating the folder-trust dialog in your AI coding tool as the moment you accept or decline a repository's code, these two disclosures name the gap. Security researcher Rony Utevsky at Adversa AI published two attack classes against AI coding agents — TrustFall on May 7 and SymJack on May 26 — both of which produce RCE with full user privileges before any agent tool call occurs.

TrustFall embeds a configuration in a malicious repository that auto-approves a designated MCP server. When the developer opens the repository and clicks the standard folder-trust dialog, the MCP server starts as a native OS process — before any tool calls run. Claude Code, Cursor, Gemini CLI, and GitHub Copilot are named as affected. The disclosure was updated May 17.

SymJack uses a different path. The attack tricks the coding agent into copying a file where the destination is a symlink pointing to the agent's own configuration directory. On the next tool restart, an attacker-controlled MCP server is already registered and spawns with full user privileges. Five tools are named as affected: Claude Code, Cursor, GitHub Copilot, Antigravity, and Grok Build.

Both attacks require a developer to open or clone a malicious repository in the affected coding tool. If your workflow involves pulling repositories from unfamiliar sources — open-source contributions, shared samples, code from online communities — the trust boundary is the repository itself, not the prompts the agent presents inside it.