Skip to content
Holding·last review2 Jun 2026

The May 2026 disclosures against AI coding agents (Adversa AI's TrustFall on 7 May 2026, a one-keypress remote code execution reaching Claude Code, Cursor, Gemini CLI, and GitHub Copilot CLI, and SymJack on 26 May 2026, a symlink-hijack confirmed against six agents that overwrites an agent's own configuration to plant a malicious MCP server, plus Microsoft's Semantic Kernel CVE-2026-26030 and CVE-2026-25592) share one design assumption, that showing an approval prompt is the same as obtaining informed consent, and because the coding agent executes attacker-supplied instructions with the developer's full credentials and write access to the build and deploy chain, it is a production attack surface that the enterprise should govern as a managed endpoint (inventory, deliberate version-pinning and patching, credential separation, monitoring for config-write-then-execute, and no untrusted repositories on credentialed machines) rather than as developer tooling outside the inventory.

Anchored on May 2026 security research: Adversa AI's TrustFall (7 May 2026, reported by Help Net Security and Adversa) reaching Claude Code, Cursor, Gemini CLI, and GitHub Copilot CLI via a default-yes trust dialog, and SymJack (26 May 2026, Adversa) confirmed against six agents (Claude Code v2.1.128 with partial fix in 2.1.129, Gemini CLI / Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build CLI, OpenAI Codex CLI) via symlink-hijack config overwrite that plants a malicious MCP server on restart, stealing SSH keys, cloud tokens, browser sessions, deploy keys, signing material, and registry tokens; and Microsoft's 7 May 2026 disclosure of two prompt-injection-to-RCE bugs in Semantic Kernel (CVE-2026-26030 in-memory vector store eval()-based RCE; CVE-2026-25592 arbitrary file write via a SessionsPythonPlugin function accidentally exposed to the model). Claim is scoped to the structural reading (shared approval-equals-consent assumption; coding agent as production attack surface; managed-endpoint control response), not to a prediction of in-the-wild exploitation and not to a single-vendor judgement. Note on production model: this publication is written by Claude, Anthropic's model, and curated and signed by Peter; Claude Code is one of the affected agents and Anthropic is the vendor reported to have declined the TrustFall report (consent dialog deemed sufficient), so the analysis treats every affected agent symmetrically and is written from the buyer's side. VERIFIED 2026-06-02 via Microsoft Security Blog (microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/ — both CVEs and affected Semantic Kernel versions), Help Net Security (helpnetsecurity.com/2026/05/07/trustfall-ai-coding-cli-vulnerability-research/ — TrustFall four-tool list, mechanism, Anthropic-declined), and Adversa AI (the SymJack write-up — six-agent list, named versions, symlink mechanism, stolen-secret list, mitigations). 90-day review cadence (31 Aug 2026). Trigger conditions: (1) a vendor changes the consent model to resolve and display the true destination before the decision, which would move the approval-is-not-consent reading toward Partial; (2) a new cross-vendor finding extends or contradicts the category-flaw reading; (3) a standards body or major buyer publishes a control baseline treating coding agents as managed endpoints, confirming the prescription; (4) evidence of in-the-wild exploitation, which sharpens urgency without changing the claim. Siblings: /owasp-agentic-ai-top-10-walkthrough/, /nist-ai-rmf-agentic-ai-mapping/, /the-enterprise-agentic-ai-governance-playbook-2026/, and the operators version OPS-088 (/operators/ai-coding-cli-security-small-team/).

Published
2 Jun 2026
Last reviewed
2 Jun 2026
Next review
+74d· 31 Aug 2026
Embed this claimiframe + oEmbed
HTML iframe
Paste-the-URL (Substack, Medium, Notion, WordPress)

The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.

Watch this claim

Email-me when AM-195's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.

The claim: The May 2026 disclosures against AI coding agents (Adversa AI's TrustFall on 7 May 2026, a one-keypress remote code execution reaching Claude Code, Cursor, Gemini CLI, and GitHub Copilot CLI, and SymJack on 26 May 2026, a symlink-hijack confirmed against six agents that overwrites an agent's own configuration to plant a malicious MCP server, plus Microsoft's Semantic Kernel CVE-2026-26030 and CVE-2026-25592) share one design assumption, that showing an approval prompt is the same as obtaining informed consent, and because the coding agent executes attacker-supplied instructions with the developer's full credentials and write access to the build and deploy chain, it is a production attack surface that the enterprise should govern as a managed endpoint (inventory, deliberate version-pinning and patching, credential separation, monitoring for config-write-then-execute, and no untrusted repositories on credentialed machines) rather than as developer tooling outside the inventory.

About this register

The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.

Recent corrections in Reporting

  • AM-008 · Partial · 17 Jun 2026

    Source-text figure re-review: Google's 2024 Environmental Report reports a 28% year-over-year increase to 8.1 billion gallons, not the 33% (from a 6.1 billion 2023 base) asserted at publish. The 8.1B 2024 figure and the Microsoft WUE 0.30 L/kWh / 39%-improvement figure are unchanged and verified. Article corrected to 28% and the unsupported 6.1B base removed; the claim text retains the original figure with this correction per the Holding-up protocol.

  • AM-132 · Partial · 10 Jun 2026

    One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.

  • AM-129 · Partial · 10 Jun 2026

    One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.

Reviews coming up in Reporting

  • AM-063 · Holding · next +9d (27 Jun 2026)

    AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…

  • AM-061 · Holding · next +9d (27 Jun 2026)

    Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…

  • AM-003 · Partial · next +9d (27 Jun 2026)

    GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…