# [HIGH] GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks **Source:** The Hacker News **Published:** 2026-06-30 **Article:** https://thehackernews.com/2026/06/guardfall-exposes-open-source-ai-coding.html ## Threat Profile GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks  Swati Khandelwal  Jun 30, 2026 AI Security / Software Supply Chain The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from  Adversa AI , which is named the bypass GuardFall , found it works against ten of the eleven popular open-source coding and computer-use agents the fi… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1566.002** — Spearphishing Link - **T1204.001** — User Execution: Malicious Link - **T1059.001** — PowerShell - **T1204.004** — User Execution: Malicious Copy and Paste - **T1219** — Remote Access Software - **T1195.002** — Compromise Software Supply Chain - **T1027.010** — Command Obfuscation - **T1140** — Deobfuscate/Decode Files or Information - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1059** — Command and Scripting Interpreter - **T1552.001** — Unsecured Credentials: Credentials In Files - **T1552.004** — Unsecured Credentials: Private Keys - **T1005** — Data from Local System - **T1195.001** — Supply Chain Compromise: Compromise Software Dependencies and Development Tools - **T1195.002** — Supply Chain Compromise: Compromise Software Supply Chain ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Shell blocklist bypass via empty-quote/token-split binary names (GuardFall) `UC_3_6` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("aider","goose","cline","plandex","opencode","open-interpreter","openhands","swe-agent","roo-code","node","python","python3") Processes.process_name IN ("bash","sh","dash","zsh") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id | `drop_dm_object_name(Processes)` | where match(process, "(?i)([a-z])'{2,}[a-z]|base64\s+-d.*\|\s*(ba)?sh|\bdd\s+.+of=/dev/|find\s+.+-delete|find\s+.+-exec\s+rm") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(14d) | where InitiatingProcessFileName in~ ("aider","goose","cline","plandex","opencode","open-interpreter","openhands","swe-agent","node","python","python3") | where FileName in~ ("bash","sh","dash","zsh") | where ProcessCommandLine matches regex @"(?i)([a-z])'{2,}[a-z]|base64\s+-d.*\|\s*(ba)?sh|\bdd\s+.+of=/dev/|find\s+.+-delete|find\s+.+-exec\s+rm" | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Open-source AI coding agent auto-execute flag spawning a shell `UC_3_7` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("aider","goose","cline","plandex","opencode","open-interpreter","openhands","swe-agent","interpreter") Processes.process_name IN ("bash","sh","dash","zsh","python","python3") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | where match(parent_process, "(?i)--auto-exec|--auto-run|--auto-test|--yes-always|--no-confirm|dangerously-skip-permissions") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(14d) | where InitiatingProcessFileName in~ ("aider","goose","cline","plandex","opencode","open-interpreter","openhands","swe-agent","interpreter") | where InitiatingProcessCommandLine has_any ("--auto-exec","--auto-run","--auto-test","--yes-always","--no-confirm","dangerously-skip-permissions") | where FileName in~ ("bash","sh","dash","zsh","python","python3") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### AI agent shell reaching into ~/.ssh / ~/.aws credential files `UC_3_8` · phase: **actions** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("aider","goose","cline","plandex","opencode","open-interpreter","openhands","swe-agent","node","python","python3") Processes.process_name IN ("bash","sh","dash","zsh","cat","cp","tar","scp","curl","wget","base64") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | where match(process, "(?i)\.ssh/id_(rsa|ed25519|ecdsa)|\.aws/credentials|\.config/gcloud|\.kube/config|\.netrc|\.docker/config\.json") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(14d) | where InitiatingProcessFileName in~ ("aider","goose","cline","plandex","opencode","open-interpreter","openhands","swe-agent","node","python","python3") | where FileName in~ ("bash","sh","dash","zsh","cat","cp","tar","scp","curl","wget","base64") | where ProcessCommandLine matches regex @"(?i)\.ssh/id_(rsa|ed25519|ecdsa)|\.aws/credentials|\.config/gcloud|\.kube/config|\.netrc|\.docker/config\.json" | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Untrusted in-repo AI agent config (.aider.conf.yml) landing from clone/checkout `UC_3_9` · phase: **delivery** · confidence: **Low** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (".aider.conf.yml",".aider.conf.yaml","aider.conf.yml") by Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_name | `drop_dm_object_name(Filesystem)` | where process_name IN ("git","node","python","python3","aider","tar","unzip") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(14d) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FileName in~ (".aider.conf.yml",".aider.conf.yaml","aider.conf.yml") | where InitiatingProcessFileName in~ ("git","node","python","python3","aider","tar","unzip") | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### Phishing-link click correlated to endpoint execution `UC_PHISH_LINK` · phase: **delivery** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Phishing-link click that drives endpoint execution within 60s ``` | tstats `summariesonly` earliest(_time) AS click_time from datamodel=Web where Web.action="allowed" by Web.src, Web.user, Web.dest, Web.url | `drop_dm_object_name(Web)` | rename user AS recipient, dest AS clicked_domain, url AS clicked_url | join type=inner recipient [| tstats `summariesonly` count from datamodel=Email.All_Email where All_Email.action="delivered" AND All_Email.url!="-" by All_Email.recipient, All_Email.src_user, All_Email.url, All_Email.subject | `drop_dm_object_name(All_Email)` | rex field=url "https?://(?[^/]+)" | rename recipient AS recipient] | join type=inner src [| tstats `summariesonly` earliest(_time) AS exec_time values(Processes.process) AS exec_cmd, values(Processes.process_name) AS exec_proc from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("chrome.exe","msedge.exe","firefox.exe", "outlook.exe","brave.exe","arc.exe") AND Processes.process_name IN ("powershell.exe","pwsh.exe","cmd.exe","mshta.exe", "rundll32.exe","regsvr32.exe","wscript.exe", "cscript.exe","bitsadmin.exe","certutil.exe", "curl.exe","wget.exe") by Processes.dest, Processes.user | `drop_dm_object_name(Processes)` | rename dest AS src] | eval delta_sec = exec_time - click_time | where delta_sec >= 0 AND delta_sec <= 60 | table click_time, exec_time, delta_sec, recipient, src, src_user, subject, clicked_domain, clicked_url, exec_proc, exec_cmd | sort - click_time ``` **Defender KQL:** ```kql // Phishing-link click that drives endpoint execution within 60s. // Far higher fidelity than "every clicked URL" — most legitimate clicks // never spawn a non-browser child process, so the join eliminates the // 99% of noise that makes a raw click query unactionable. let LookbackDays = 7d; let SuspectClicks = UrlClickEvents | where Timestamp > ago(LookbackDays) | where AccountName !endswith "$" | where ActionType in ("ClickAllowed","ClickedThrough") | join kind=inner ( EmailEvents | where Timestamp > ago(LookbackDays) | where DeliveryAction == "Delivered" | where EmailDirection == "Inbound" | project NetworkMessageId, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, EmailTimestamp = Timestamp ) on NetworkMessageId | join kind=leftouter ( EmailUrlInfo | project NetworkMessageId, Url, UrlDomain ) on NetworkMessageId, Url | project ClickTime = Timestamp, AccountUpn, IPAddress, Url, UrlDomain, Subject, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, ActionType; // Correlate to a non-browser child process spawned within 60 seconds on // the recipient's device. DeviceProcessEvents | where Timestamp > ago(LookbackDays) | where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe", "outlook.exe","brave.exe","arc.exe") | where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","mshta.exe", "rundll32.exe","regsvr32.exe","wscript.exe","cscript.exe", "bitsadmin.exe","certutil.exe","curl.exe","wget.exe") | join kind=inner SuspectClicks on $left.AccountName == $right.AccountUpn | where Timestamp between (ClickTime .. ClickTime + 60s) | project ClickTime, ProcessTime = Timestamp, DelaySec = datetime_diff('second', Timestamp, ClickTime), DeviceName, AccountName, RecipientEmailAddress, SenderFromAddress, Subject, Url, UrlDomain, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName | order by ClickTime desc ``` ### Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) `UC_FAKECAPTCHA` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("explorer.exe","RuntimeBroker.exe") AND Processes.process_name IN ("powershell.exe","pwsh.exe","mshta.exe") AND (Processes.process="*iex*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*FromBase64*" OR Processes.process="*DownloadString*" OR Processes.process="*hxxp*" OR Processes.process="*curl*" OR Processes.process="*wget*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("explorer.exe","RuntimeBroker.exe") | where FileName in~ ("powershell.exe","pwsh.exe","mshta.exe") | where ProcessCommandLine matches regex @"(?i)(iex|invoke-expression|frombase64|downloadstring|hxxp|curl |wget )" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### Trusted vendor binary / installer launching unusual children `UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe") AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe") | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ## Why this matters Severity classified as **HIGH** based on: 10 use case(s) fired, 19 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.