Your AI Coding Assistant Just Cloned Your Entire Repository. You Told It To.

You're debugging code at 11pm. Your AI assistant suggests a fix. You hit tab. It writes three functions. You commit. You never stopped to ask: what did that tool just read to write that answer?

Everything. Your entire codebase. The API keys in your config files. The database credentials. The internal Slack webhook you hardcoded three months ago and meant to remove. The comment that says "TODO: fix this security hole."

It didn't hack its way in. You installed it. You authenticated it. You pointed it at your repository and said help me work faster.

Researchers at Unit 42 just documented what that actually means. Their finding: the line between "productivity tool" and "data exfiltration pipeline" is now functionally invisible.

Developers use convention files to set coding standards — things like "always use TypeScript" or "format dates this way." Standard practice. Totally innocuous.

Until it isn't.

Researchers published findings on something called TrustFall: malicious convention files hidden inside repositories. When AI coding assistants — including Claude Code, Cursor CLI, and GitHub Copilot CLI — read those repos, the convention files injected instructions directly into the AI's behavior.

The AI followed those instructions. It executed code. It exfiltrated data. With minimal or no user interaction.

Translation: you clone a repo. Your AI reads it to "understand the project." The repo contains hidden instructions. Your AI now works for someone else.

Separately, Google disclosed that attackers used AI to develop the first known zero-day exploit that bypasses two-factor authentication. No brute force. No phishing. AI found a flaw humans hadn't, then exploited it at scale.

This is what it looks like when the tool built to help you becomes the weapon used against you.

Twelve months ago, your coding assistant fixed typos and suggested variable names. Today it has access to:

And here's the part that gets overlooked: these tools are designed to be autonomous. Taking action without asking is the feature. That's why you installed them.

"Taking action" now means: cloning repositories to analyze them — including malicious ones. Executing code to test fixes — including code that calls home. Reading configuration files to understand your environment — including the ones with your credentials.

Unit 42 also found a vulnerability in a Claude browser extension that let attackers inject prompts and take over the AI agent entirely. The flaw: the extension trusted content it shouldn't have trusted.

That sentence should sound familiar to anyone who's been in enterprise identity long enough.

I've watched organizations spend six figures on PAM tooling while their developers run AI coding assistants with read access to every secret the PAM was supposed to protect. The attackers don't need to break your vault. They just need to hide a convention file in a repo your developer clones on a Friday afternoon.

This isn't a developer problem. It's an identity problem. AI agents are principals. They request access, hold credentials, and take actions — just like a service account, just like a human user. If your identity program doesn't have a policy for AI tool access scope, you don't have a complete identity program. You have a gap with a very productive-looking front door.

1. Audit what your AI tools can access right now. Open the settings for whatever assistant your team uses. If it has access to your entire filesystem or all your repos, scope it down. Least privilege isn't just for service accounts.

2. Treat convention files like executable code. Before cloning a repository from an unfamiliar source, check for .cursorrules, .clinerules, or any AI instruction file. Read it. If it contains commands or external URLs, delete it or don't clone the repo.

3. Move your secrets out of your code entirely. If your API keys, database passwords, or tokens live in config files inside your repos, your AI has already read them. Use a secrets manager. If it's in plaintext anywhere your AI can see, assume it's been read.

4. Disable auto-execution features. Most AI coding tools have a setting that lets them run code automatically to "test" suggestions. Turn it off. Make the AI show you what it wants to run first. Slower? Yes. Better than handing your terminal to a malicious convention file? Also yes.

5. Create an AI tool policy for your team. Your developers are already using this. They installed it themselves. You need a written policy: which tools are approved, what access they can have, which repos are off-limits. Enforce it like you enforce VPN use.

Identity Decoded publishes every week at identity-decoded.com