What happened
Adversa AI publicly disclosed GuardFall on June 30, 2026 — a structural class of shell-guard bypasses affecting 10 of 11 popular open-source AI coding and computer-use agents. The root cause is that agents validate raw command text while bash later rewrites it through expansion and substitution, making regex-based blocklists ineffective. SecurityWeek and The Hacker News both covered the disclosure on June 30–July 1, 2026. End-to-end exploitation was demonstrated against Plandex. No in-the-wild exploitation reported, but no CVE assigned yet.
Why it matters
AI coding agents run with the developer's full account authority. A single poisoned repository file — README, Makefile, MCP response, or package metadata — can silently exfiltrate SSH keys and cloud credentials from any developer who clones it and runs a vulnerable agent. With 10 of 11 major tools affected and millions of developers adopting AI coding agents, the supply chain blast radius is enormous.
Attack vector
Agents inspect raw command strings against a safety blocklist, then pass the command to bash. Bash rewrites the string via quote removal, $IFS expansion, command substitution, and encoded pipelines — decades-old shell tricks that were never accounted for in the agents' safety checks. Adversa AI (GuardFall disclosure, June 30 2026) demonstrated end-to-end exploitation against the production Plandex binary: poisoned content in a repository file triggers the agent to emit an obfuscated command that exfiltrates SSH keys, cloud credentials, and $HOME files.
Affected systems
Hermes, opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent (10 of 11 surveyed); Continue is the only substantially mitigated agent
Mitigation
Disable auto-execute features in affected agents; isolate or redirect $HOME; avoid running agents on forked pull requests; audit repository-shipped configs; adopt tokenize-and-canonicalize command enforcement (structural parsing) rather than regex/raw-string blocklists. Monitor Adversa AI blog and individual agent changelogs for patches: https://adversa.ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability