{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/forgecode/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-57860"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ForgeCode"],"_cs_severities":["high"],"_cs_tags":["arbitrary-code-execution","cli","developer-tools","supply-chain"],"_cs_type":"advisory","_cs_vendors":["tailcallhq"],"content_html":"\u003cp\u003eCVE-2026-57860 details a critical arbitrary code execution vulnerability in ForgeCode (tailcallhq/forgecode), an AI pair-programming command-line interface (CLI) tool. This flaw allows malicious actors to achieve initial access and persistence on a developer's system without explicit user confirmation. When a user initializes the \u003ccode\u003eforge\u003c/code\u003e CLI within a repository, the tool automatically parses and executes server definitions from the repository's \u003ccode\u003e.mcp.json\u003c/code\u003e file. A crafted \u003ccode\u003e.mcp.json\u003c/code\u003e can include arbitrary commands and arguments (e.g., \u003ccode\u003ecommand: bash\u003c/code\u003e with \u003ccode\u003eargs: ['-c', 'touch /tmp/pwned']\u003c/code\u003e), which are then executed with the invoking user's privileges. This mechanism provides a reliable attack vector against developers who clone and evaluate untrusted repositories, transforming a seemingly benign action into a compromise opportunity. The vulnerability affects the ForgeCode CLI, commonly used in Linux and macOS development environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a malicious repository containing a specially crafted \u003ccode\u003e.mcp.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e.mcp.json\u003c/code\u003e file is configured with \u003ccode\u003emcpServers\u003c/code\u003e entries that specify arbitrary \u003ccode\u003ecommand\u003c/code\u003e and \u003ccode\u003eargs\u003c/code\u003e values, designed to execute malicious code (e.g., \u003ccode\u003ebash -c 'payload'\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious repository is then hosted on a public platform (e.g., GitHub) or distributed to target developers.\u003c/li\u003e\n\u003cli\u003eA victim developer, operating under the assumption of a legitimate code repository, clones the untrusted repository to their local machine.\u003c/li\u003e\n\u003cli\u003eThe developer then navigates into the cloned repository's directory and executes the \u003ccode\u003eforge\u003c/code\u003e CLI command.\u003c/li\u003e\n\u003cli\u003eUpon startup, ForgeCode automatically reads and parses the \u003ccode\u003e.mcp.json\u003c/code\u003e file present in the current repository.\u003c/li\u003e\n\u003cli\u003eWithout requiring further user confirmation, ForgeCode loads and executes the arbitrary commands defined within the malicious \u003ccode\u003e.mcp.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eArbitrary code is executed on the developer's system with the privileges of the invoking user, leading to initial access, persistence, and potential system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-57860 leads to arbitrary code execution on developer workstations. This provides attackers with a reliable initial access vector into development environments, often considered high-value targets due to access to source code, credentials, and build pipelines. The automatic execution on CLI startup also offers a persistence primitive, as the malicious commands would re-execute each time the developer invokes \u003ccode\u003eforge\u003c/code\u003e within the compromised repository. While no specific victim counts are available, any developer using ForgeCode on Linux or macOS who interacts with untrusted repositories is at risk, potentially leading to intellectual property theft, further network compromise, or supply chain attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch ForgeCode (tailcallhq/forgecode) to a version that addresses CVE-2026-57860 immediately upon availability.\u003c/li\u003e\n\u003cli\u003eImplement strong controls and policies against cloning or executing \u003ccode\u003eforge\u003c/code\u003e within untrusted or unverified repositories.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious process execution patterns where the \u003ccode\u003eforge\u003c/code\u003e CLI acts as a parent to unexpected shell commands.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging for both \u003ccode\u003elinux\u003c/code\u003e and \u003ccode\u003emacos\u003c/code\u003e endpoints to ensure telemetry for detection rules is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T17:23:04Z","date_published":"2026-07-17T17:23:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-forgecode-rce/","summary":"CVE-2026-57860 describes an arbitrary code execution vulnerability in ForgeCode, an AI pair-programming CLI tool, where it automatically loads and executes commands specified in a repository's `.mcp.json` file upon startup without user confirmation, allowing attackers to achieve initial access and persistence on developer machines when a user runs `forge` within an untrusted, cloned repository.","title":"ForgeCode AI Pair-Programming CLI Arbitrary Code Execution via Malicious .mcp.json","url":"https://feed.craftedsignal.io/briefs/2026-07-forgecode-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - ForgeCode","version":"https://jsonfeed.org/version/1.1"}