Close Menu

    Subscribe to Updates

    Get the latest Tech news from SynapseFlow

    What's Hot

    Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks

    July 1, 2026

    a Mass Casualty Event, or Worse, That Turns the World Against AI Forever

    June 30, 2026

    Samsung ultimately refuses BOE panels for the Galaxy S27, new report says

    June 30, 2026
    Facebook X (Twitter) Instagram
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    Facebook X (Twitter) Instagram YouTube
    synapseflow.co.uksynapseflow.co.uk
    • AI News & Updates
    • Cybersecurity
    • Future Tech
    • Reviews
    • Software & Apps
    • Tech Gadgets
    synapseflow.co.uksynapseflow.co.uk
    Home»Cybersecurity»Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks
    Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks
    Cybersecurity

    Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks

    The Tech GuyBy The Tech GuyJuly 1, 2026No Comments5 Mins Read0 Views
    Share
    Facebook Twitter LinkedIn Pinterest Email
    Advertisement


    Bash (Bourne Again SHell), the 1989 GNU rewrite of the original Linux Bourne Shell, can still cause problems more than three decades later through its Bash Tricks. Adversa AI has discovered a structural security flaw in multiple open source AI agents. It’s not a specific bug but a process that can get malicious Bash instructions ingested into the agent, and from there into whatever the agent does – typically with the operator’s approval.

    Advertisement

    Adversa calls this structural issue GuardFall.

    “We tested eleven popular open source agents, including Hermes, OpenCode, Roo-code, and others,” explains Omer Ben Simon, lead researcher at Adversa AI. “Ten leave the gap open in one of four ways; and only one closes it.”

    The ‘gap’ is a failure to guard the agent against the decades old Bash shell tricks, such as quote removal and $IFS spacing. Since these agents run with a developer’s full account authority, this can radiate into a major supply chain risk. 

    “If an engineer uses a vulnerable agent to read a poisoned README or Makefile from a malicious repository,” continues Ben Simon, “the agent can be tricked into silently executing commands that exfiltrate AWS credentials or wipe whole dev environments – especially in CI pipelines where ‘auto-yes’ modes are default.”

    The full Adversa report explains, “We call the pattern GuardFall: bypasses against pattern-based shell guards in agentic coding tools, where Bash unwinds the obfuscation after the guard has let the command through.”

    Advertisement. Scroll to continue reading.

    The trigger for the research was finding a NousResearch/hermes-agent approval gate bypass via shell rewrites against a 30-pattern regex denylist. This prompted Adversa to survey and examine the most popular open-source coding agents and computer use agents as of May 2026, based on GitHub star count and community activity.

    Not all of the agents failed all of the Bash tricks used by Adversa, but the bottom line is that only one of the 11 tested agents blocked all of the tricks. The tricks are described under five ‘classes’ (A through E) within the report. Class E, the most successful, is described as “Alternative argv shapes for the same destructive effect.”

    “Class E survives the most guards, including the strongest tokenized guard in our survey,” explains the report, “because per-flag reasoning requires knowing, for each binary, which flag combinations flip it from benign to destructive.”

    However, just as bugs can exist but be exploitable only under certain conditions, so these guard bypasses rely on their own preconditions. For example, they only work if the language model cooperates. 

    If you ask the AI model directly to “run this: rm” (where rm is a command that deletes files), the model will typically refuse, recognizing it as dangerous. But with indirect or disguised requests, perhaps contained within a Makefile target, the command is more likely to be accepted without objection.

    The research examines whether commands embedded by an attacker in content that is ingested by the agent (from a malicious MCP server, from a fetched web page or multiple other possible sources) will be enacted by the agent. The answer is too often yes. The agent then emits a destructive shell command that runs with the operator’s authority – but only if auto-execute mode is on, or a sandbox is switched to local mode. 

    It’s a complex process to exploit GuardFall, but complexity hasn’t stopped bad actors in the past. For the sake of their users, open source agent maintainers should prevent such Bash tricks being possible rather than rely on the obscurity of the process. 

    Continue was the only agent able to maintain a guard against Adversa’s tests. “Of 21 bypass cases submitted to the evaluator, 0 reach allowedWithoutPermission, and all 12 canonical-destructive cases are correctly downgraded,” say the researchers. “The design is not perfect – Class C inside a quoted argument and the full long tail of Class E (per-argv-flag reasoning) remain open – but it is the only agent in our survey that closes the structural majority of the surface.”

    The researchers studied how this was achieved, built on it, and developed their own set of recommendations to stop GuardFall and prevent the danger from invisible Bash trickery getting into the supply chain. Several of these involve guards placed around the agent.

    For example, “Run agents from a scoped shell with $HOME redirected. A one-line wrapper (HOME=$HOME/.agent-sandbox-$RANDOM agent   …) keeps the project directory but removes ~/.ssh/, ~/.aws/, shell history, and the other secrets in $HOME: the largest credential-exfiltration surface. This is the strongest stopgap because it is always-on and has no documented one-flag opt-out.”

    Other options include disabling auto-yes modes, auditing repo-shipped configs, and blocking agent execution on fork PRs. In the end, however, these are all only stopgap solutions. “A guard inspects raw text, while system shell (Bash) expands, unquotes, and rewrites text before running it.” So, there is a mismatch between what the agent may think it is running, and what Bash actually runs. This is the structural gap exploited by Adversa’s Bash tricks.

    The only long term solution is for the open source agent maintainers to implement a Continue-style tokenize‑and‑canonicalize evaluator guard inside the agent itself.

    Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay

    Related: When Information Becomes the Attack Surface – Understanding AI Agent Traps

    Related: macOS Weaknesses Chained to Silently Disable Endpoint Security Agents

    Related: Willow Raises $7 Million for Securing Autonomous AI Agents

    Related: Security of 100 AI Agents Tested and Ranked – What You Need to Know

    Advertisement
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    The Tech Guy
    • Website

    Related Posts

    BlueHammer Vulnerability Exploited in Ransomware Attacks

    June 30, 2026

    Hacker Conversations: Chris Thompson, Former Head of IBM X-Force Red, Co-Founder of RemoteThreat

    June 30, 2026

    New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking

    June 30, 2026

    Researchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer Machines

    June 30, 2026

    WhatsApp Rolling Out Username Feature to Bolster Phone Number Privacy

    June 29, 2026

    ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

    June 29, 2026
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    You don’t need a NAS to self-host — I proved it with hardware from my closet

    June 7, 2026169 Views

    Spotify is giving one of its best playlists a big visual upgrade to give subscribers ‘a closer connection’ to its New Music Friday curators — and I think it could be the update it’s always needed

    June 12, 202690 Views

    The iPad Air brand makes no sense – it needs a rethink

    October 12, 202516 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Advertisement
    About Us
    About Us

    SynapseFlow brings you the latest updates in Technology, AI, and Gadgets from innovations and reviews to future trends. Stay smart, stay updated with the tech world every day!

    Our Picks

    Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks

    July 1, 2026

    a Mass Casualty Event, or Worse, That Turns the World Against AI Forever

    June 30, 2026

    Samsung ultimately refuses BOE panels for the Galaxy S27, new report says

    June 30, 2026
    categories
    • AI News & Updates
    • Cybersecurity
    • Future Tech
    • Reviews
    • Software & Apps
    • Tech Gadgets
    Facebook X (Twitter) Instagram Pinterest YouTube Dribbble
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    © 2026 SynapseFlow All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.