Security boffins say Anthropic's Claude can be tricked into approving malicious code with just two Git commands by spoofing a trusted developer's identity.

In a blog published this week, Manifold Security showed how an AI-powered code reviewer built on Claude accepted changes that appeared to come from a legitimate maintainer. By setting a fake author name and email in Git, the team made a commit appear to originate from a trusted source, then passed it through an automated review flow where the model approved it.

This is not a Git vulnerability – commit metadata has always been relatively easy to fake unless additional controls like signing are enforced. The problem arises when that metadata is treated as a signal of trust. In this case, the model appeared to give weight to the author's claimed identity rather than independently assessing whether the change itself was sound.

In Manifold's test, the workflow was set to auto-approve pull requests from "recognized industry legends," so the trust rule was obvious. In the real world, it's usually less explicit – checks against org membership, past contributions, or a maintainer list – but it's the same problem underneath. None of that proves who actually made the change.

"The motivation behind such configurations is understandable. Maintainers of popular open source projects are drowning in PRs," Manifold said. "Automating review for contributions from known, trusted figures reduces the bottleneck. But it creates an assumption that authorship can be trusted at face value."

• Anthropic's Project Glasswing CVE tally is still anyone's guess
• Claude Code routines promise mildly clever cron jobs
• Claude is getting worse, according to Claude
• Claude Code cache chaos creates quota complaints

Manifold compares the setup to the recent OpenClaw Cline package compromise, where a poisoned package slipped into a trusted environment and was treated as legitimate long enough to cause damage. In both cases, something that appeared to come from a reliable source was given a level of trust it hadn't earned.

What changes with systems like Claude is how that trust is applied. A human reviewer might question why a particular maintainer is making an unexpected change or take a closer look at the diff. An automated reviewer is more likely to follow its internal signals consistently, and if those signals include author identity, spoofing that identity becomes a way in.

"Open source libraries are increasingly relying on AI-powered workflow tools to auto-review and approve pull requests, yet these agents are easily fooled, creating opportunities for threat actors to bypass security controls and poison popular code repositories," Manifold warned.

Manifold's takeaway is that the guardrails can't live in the model. If nothing else is checking who did what, bad code won't just be suggested – it'll get pushed. ®

More about

• Anthropic
• Claude
• Git