What happened
Adversa AI disclosed 'GuardFall' on 2026-06-30 (SecurityWeek coverage confirmed that date): a structural flaw in open-source AI coding agents where decades-old Bash tricks — quote removal, $IFS manipulation, and similar shell metacharacter techniques — bypass the agents' input sanitisation guards. Malicious Bash instructions embedded in a repository (e.g., in a Makefile, .env file, or README) are ingested by the agent and passed to shell execution with the developer's full account authority. 10 of 11 tested agents (including Hermes, OpenCode, Roo-code) failed at least one Bash trick. Only one agent blocked all tested techniques.
Why it matters
AI coding agents routinely run with developer-level filesystem and shell access. A malicious repository containing crafted shell payloads can silently execute arbitrary code when the agent processes it — turning every untrusted repository into a potential supply-chain attack vector. Since these agents are also used in CI/CD pipelines, the blast radius extends to automated build and deployment infrastructure.
Attack vector
Attacker embeds crafted Bash payloads using quote removal, $IFS spacing, or other shell-expansion tricks in a repository file. When an AI coding agent processes the repository, the payload bypasses the agent's allowlist/denylist guards and is executed in the agent's shell context with the operator's privileges.
Affected systems
Multiple open-source AI coding agents tested by Adversa AI (Hermes, OpenCode, Roo-code, and 8 others) — versions current as of 2026-06-30; only one passed all tests
Mitigation
Check vendor-specific patches for each affected agent. Apply principle of least privilege in agent execution environments. Sandbox agents from network and filesystem where possible. Monitor for unexpected shell spawning from agent processes.