Security firm Adversa AI on June 30, 2026 disclosed "GuardFall," a vulnerability pattern that bypasses the Bash command-execution guards of open-source AI coding agents using classic shell parsing behaviors known for over 30 years. Of 11 products tested, the bypass worked on 10.
June 30, 2026 · Adversa AI
"GuardFall": 30-Year-Old Bash Tricks Break AI Coding Agent Guards
A mismatch between the string a guard inspects and what Bash actually runs after expansion lets classic shell behaviors slip past command denylists — turning a single poisoned repo into a supply-chain threat.
10/11
open-source agents bypassed
~548K
combined GitHub stars of agents tested
30+
years these shell tricks have been known
VULNERABLE vs. SAFE
Of 11 agents tested, only one structurally held the line.
The core flaw
A guard inspects the raw string — Bash runs the expanded one.
Text denylists see harmless-looking input; quote removal and expansion reveal the real command at execution time.
r''m -rf
→
quote removal
→
rm -rf executes
Other vectors: $IFS field splitting · $(command) substitution · base64 piped into sh · alternate argv shapes (find -delete, dd, tar) — the "Class E" alternate-argv shapes defeated the most guards.
No malicious prompt needed
The model is steered via operational context — poisoned READMEs, Makefiles, or MCP server responses. Even refusing blatant instructions, it still emits dangerous commands through mechanisms like Makefile targets.
Why it escalates
Agents run on a host Bash shell with the developer's full privileges — SSH keys, AWS credentials, the home directory. As auto-exec and unattended CI spread, one malicious repo becomes a supply-chain attack.
THE DEBATE: how should guards be built?
Structural approach
Enforce whitelists, sandboxes, and tokenization-plus-normalization — as in Continue's default IDE mode: 0 of 21 bypass cases allowed, 12 destructive cases downgraded.
The tradeoff
Tighter guards cut against the convenience of auto-exec and CI workflows — and model safety training alone cannot close the gap.
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…