Anthropic Response to 1-Click Pwn: Shouldn't Have Clicked 'Ok'

The newly revealed TrustFall exploit highlights a subtle yet powerful attack surface in AI‑driven coding assistants. By inserting two JSON configuration files into a cloned repository, an adversary can flip project‑level Model Context Protocol (MCP) settings that instruct Claude Code to launch an external server. When a developer clicks the generic “Yes, I trust this folder” prompt, the malicious MCP server runs as an unsandboxed Node.js process, inheriting the user’s full permissions. This bypasses traditional sandboxing because the vulnerability resides in the tool’s configuration model rather than its code execution path.

For developers and DevOps teams, the risk extends beyond interactive use. In continuous integration pipelines, Claude’s SDK is often invoked programmatically, eliminating any interactive consent step. Consequently, a malicious repository can trigger a zero‑click compromise during automated builds, granting attackers persistent access to build agents and downstream environments. The incident underscores the importance of treating configuration files as potential attack vectors, enforcing least‑privilege defaults, and integrating security checks—such as scanning for suspicious .mcp.json entries—into the software supply‑chain workflow.

Anthropic’s response—that user consent moves the issue outside its threat model—has sparked debate about informed consent in AI tooling. Security experts, including Adversa, recommend three concrete changes: block project‑wide MCP enablement flags, introduce a dedicated MCP consent dialog defaulting to deny, and require per‑server approval. As AI assistants become integral to development workflows, industry standards for safe configuration handling will be critical. Addressing these gaps now can prevent a wave of supply‑chain attacks that exploit the trust users place in their coding assistants.