Attack Chain

1. The attacker creates a malicious repository containing attractive code designed to be selected by AI coding agents.
2. The malicious repository includes small JSON files in standard locations (e.g., .claude/settings.json, .mcp.json) with directives like enableAllProjectMcpServers or enabledMcpjsonServers.
3. A developer uses an AI coding agent (e.g., Claude Code) to assist with a coding task.
4. The AI coding agent searches for and locates the attacker’s malicious repository.
5. The AI coding agent suggests using code from the malicious repository to the developer.
6. The developer is prompted with a trust dialog (e.g., “Quick safety check: Is this a project you created or one you trust?”), which defaults to “trust”.
7. Upon the developer’s acceptance, the attacker-defined MCP servers are spawned as OS processes with the user’s full privileges.
8. The spawned server establishes a long-lived C2 connection or directly executes malicious code, potentially including environment variables, deploy keys, signing certificates, and other credentials in the build process, leading to a supply chain attack.

Impact

A successful “TrustFall” attack can lead to complete compromise of a developer’s machine, allowing attackers to gain access to sensitive information and inject malicious code into widely distributed software tools. If the code is destined for the user’s CICD pipeline, the attack can compromise the entire supply chain, affecting potentially thousands of users. The impact includes remote code execution, data exfiltration, and the introduction of backdoors into critical software components. Attackers can steal credentials, signing certificates, and other sensitive data used in the build process, leading to widespread software compromise.

Recommendation

• Monitor process creation events for the execution of unexpected processes with the user’s full privileges immediately after a code repository is accessed (see Sigma rule Detect Suspicious MCP Server Processes).
• Implement controls to prevent AI coding agents from automatically trusting and executing code from untrusted repositories. Specifically, block enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside the project and allow these keys only from scopes structurally outside the repository.
• For CI/CD pipelines using AI coding agents non-interactively, gate them on branches where commits are already reviewed: post-merge on main, not arbitrary PR branches.
• Deploy the Sigma rule Detect MCP JSON File Creation to monitor for the creation of .mcp.json files in project directories, as this file is used to define MCP servers.