https://feed.craftedsignal.io/products/gemini-cli/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 24 Apr 2026 19:30:01 +0000https://feed.craftedsignal.io/briefs/2026-04-gemini-cli-rce/Fri, 24 Apr 2026 19:30:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-gemini-cli-rce/Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.Gemini CLI (@google/gemini-cli) versions prior to 0.39.1 and version 0.40.0-preview.2, along with the run-gemini-cli GitHub Action versions prior to 0.1.22, are susceptible to remote code execution due to insecure workspace trust handling and tool allowlisting bypasses. The vulnerability arises from the automatic trust of workspace folders in headless mode, allowing malicious environment variables within the .gemini/ directory to be exploited. Furthermore, in --yolo mode, the tool allowlist was previously ignored, enabling prompt injection and code execution via commands like run_shell_command. This poses a risk, especially in CI/CD environments that process untrusted inputs such as pull requests. The patched version 0.39.1 enforces explicit folder trust in headless mode and properly evaluates tool allowlists under --yolo, mitigating these risks. This impacts all Gemini CLI GitHub Actions and requires users to review their workflows.

Attack Chain

1. Attacker submits a malicious pull request to a repository using Gemini CLI in a GitHub Actions workflow.
2. The workflow, running in headless mode, automatically trusts the workspace folder (versions prior to 0.39.1).
3. The attacker’s pull request includes a crafted .gemini/ directory containing malicious environment variables.
4. Gemini CLI loads the malicious environment variables, leading to code execution.
5. Alternatively, the attacker injects a malicious prompt leveraging run_shell_command when --yolo is used.
6. The run_shell_command executes arbitrary commands on the runner due to the bypassed tool allowlist (versions prior to 0.39.1).
7. The attacker gains control of the CI/CD runner, potentially exfiltrating secrets or injecting malicious code into the deployment pipeline.
8. Successful exploitation leads to code execution on the CI/CD runner, data exfiltration, or supply chain compromise.

Impact

The vulnerability impacts workflows utilizing Gemini CLI in headless mode, particularly those processing untrusted inputs such as pull requests from external contributors. Successful exploitation can lead to remote code execution on the CI/CD runner, potentially enabling attackers to exfiltrate sensitive information, such as API keys and credentials, or inject malicious code into the application deployment pipeline. This can lead to a supply chain compromise. All Gemini CLI GitHub Actions are affected, requiring users to review and update their workflows.

Recommendation

• Upgrade @google/gemini-cli to version 0.39.1 or later, or 0.40.0-preview.3 if using a preview version.
• Upgrade actions/google-github-actions/run-gemini-cli to version 0.1.22 or later.
• For workflows running on trusted inputs, set GEMINI_TRUST_WORKSPACE: 'true' in the GitHub Actions workflow.
• For workflows processing untrusted inputs, review the hardening guidance in google-github-actions/run-gemini-cli and set the environment variable accordingly.
• Review and harden tool allowlists in ~/.gemini/settings.json to restrict the commands that can be executed, especially when using the --yolo flag.

]]>criticaladvisoryrcesupply-chaingithub-actionshttps://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/Thu, 02 May 2024 14:22:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.This threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule 9050506c-df6d-4bdf-bc82-fcad0ef1e8c1 focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.

Attack Chain

1. Adversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.
2. The compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.
3. The GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).
4. The macOS system’s network stack resolves the attacker’s domain to its corresponding IP address.
5. The GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.
6. The attacker uses the C2 channel to send commands to the compromised GenAI tool.
7. The GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.

Impact

Compromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization’s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.

Recommendation

• Deploy the Sigma rule “GenAI Process Connecting to Unusual Domain” to your SIEM and tune for your environment (see rule below).
• Enable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process’s behavior.
• Block any identified malicious domains at the network level (see query in the provided source).
• Review the GenAI tool’s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.
• Regularly update the list of allowed domains in the Sigma rule’s filter to account for legitimate updates to GenAI tool infrastructure.

]]>mediumadvisorygenaicommand and controlmacosnetwork connection