TRUSTFALL , a one-click exploit demonstrated by Adversa AI, can trigger code execution in Claude Code with minimal or no user interaction, exposing developers to running attacker-controlled code from a malicious repository. According to Adversa AI, this effect occurs when a repository includes a malicious MCP server and configuration settings that auto-approve it to run, so pressing Enter on a routine security check launches the payload with the developer’s full system privileges.
Anthropic itself has described the issue as outside its threat model, stating that it’s not a vulnerability in the traditional sense and that trust dialogs offer sufficient warning. The researchers note Claude Code already had four exploitable vulnerabilities involving malicious repositories abusing project-scoped settings; two of these are CVE-2025-59536 and CVE-2026-21852, with CVE-2026-33068 also referenced, all of which Anthropic has patched but without addressing the underlying cause.
A key factor is Claude Code version 2.1, where a trust dialog change removed explicit warnings about MCP execution, turning a routine action like cloning or reviewing a repo into a high-risk operation. Adversa argues that the warning language downplays the decision's importance and that safer handling varies across settings, with some dialogs being more alarming than others.
Reducing exposure, they say, requires tighter controls at developer endpoints and in CI/CD pipelines, plus vigilant monitoring of how Claude Code is used.