Adversa AI has discovered a structural security flaw in multiple open-source AI agents, allowing malicious Bash instructions to be ingested into the agent and potentially executed with operator approval. The issue, dubbed "GuardFall," affects 10 out of 11 popular open-source agents tested by Adversa, including Hermes, OpenCode, and Roo-code.
What Happened
The discovery was made after Adversa's researchers found a vulnerability in the NousResearch/hermes-agent approval gate bypass via shell rewrites against a 30-pattern regex denylist. This prompted an examination of the most popular open-source coding agents and computer use agents as of May 2026, based on GitHub star count and community activity.
Adversa's researchers tested 11 popular open-source AI agents and found that only one, Continue, was able to maintain a guard against their Bash tricks. The other 10 agents left the gap open in one of four ways, making it possible for malicious Bash instructions to be ingested into the agent.
The "gap" refers to the failure to guard the agent against decades-old Bash shell tricks, such as quote removal and $IFS spacing. Since these agents run with a developer's full account authority, this can radiate into a major supply chain risk.
Background and Context
The root cause of the issue is not a specific bug but a process that can get malicious Bash instructions ingested into the agent. This process relies on the agent's inability to guard against Bash tricks, which can be used to execute destructive commands with operator approval.
Adversa's researchers explain that the issue is not just a matter of patching a specific bug but rather a fundamental flaw in the design of many open-source AI agents. The researchers note that the only long-term solution is for open-source agent maintainers to implement a Continue-style tokenize-and-canonicalize evaluator guard inside the agent itself.
Until then, Adversa recommends several stopgap solutions, including running agents from a scoped shell with $HOME redirected and disabling auto-yes modes. However, these measures are only temporary fixes and do not address the underlying issue.
Why It Matters to the Industry
The discovery of GuardFall highlights the importance of supply chain security in the AI industry. With many open-source agents relying on Bash tricks to function, the risk of malicious code being ingested into these agents is significant.
The issue also underscores the need for more robust security measures in AI development tools. As AI becomes increasingly integrated into various industries, including the adult entertainment sector, the importance of secure AI development cannot be overstated.
What Comes Next
Adversa's discovery has sparked a renewed focus on supply chain security in the AI industry. Open-source agent maintainers are being urged to implement more robust security measures to prevent GuardFall and similar attacks.
The incident also highlights the need for greater collaboration between developers, researchers, and security experts to ensure that AI development tools are secure and reliable.
Key Facts
- Adversa AI discovered a structural security flaw in multiple open-source AI agents, dubbed "GuardFall."
- The issue affects 10 out of 11 popular open-source agents tested by Adversa.
- Only one agent, Continue, was able to maintain a guard against Bash tricks.
- The flaw relies on the agent's inability to guard against decades-old Bash shell tricks.
- Adversa recommends several stopgap solutions to prevent GuardFall, including running agents from a scoped shell with $HOME redirected and disabling auto-yes modes.
In related news, a recent supply chain attack on the NX package exposed sensitive data from downstream devices. The attackers used locally-installed AI tools such as Claude and Gemini to collect sensitive information.
Another incident involved a malicious prompt injection into Amazon's popular AI assistant, Amazon Q for Visual Studio Code. The attacker embedded destructive system-level commands into version 1.84.0 of the extension, instructing the AI to delete users' files and AWS cloud resources.
The incidents highlight the importance of supply chain security in the AI industry and underscore the need for more robust security measures in AI development tools.