Git identity spoof fools Claude into giving bad code the nod - theregister.com

Detailed Analysis

Security researchers at Manifold Security have demonstrated a significant vulnerability in AI-powered code review pipelines, specifically targeting Claude's automated pull request review system. By exploiting the long-known malleability of Git commit metadata — specifically the author name and email fields — attackers can forge the identity of a trusted maintainer, causing Claude's review agent to approve commits it would otherwise scrutinize more carefully. The attack requires no exploitation of a flaw in Git itself; rather, it weaponizes how Claude interprets identity signals. When a commit appears to originate from a recognized, high-trust contributor, Claude's review process tends to extend that trust to the code itself, approving changes without sufficiently independent assessment of the actual diff.

The core danger the researchers identified is architectural: Claude's review agent relies on author identity as a meaningful trust signal, a heuristic that human reviewers apply with social and contextual intuition but that automated systems apply far more mechanically and consistently. A human reviewer might notice that a known maintainer is submitting an out-of-character change at an unusual time, or flag a suspicious commit message. An AI agent lacks that broader situational awareness and is therefore more reliably fooled by a correctly spoofed identity. This predictability is precisely what makes identity spoofing an effective and repeatable attack vector against AI-driven workflows.

The implications extend well beyond Claude specifically. Manifold Security explicitly warned that open source repositories are increasingly integrating AI agents into their merge pipelines, and that these agents are being deployed without sufficient secondary verification controls. The researchers stressed that when malicious code bypasses review, the consequence is not merely a bad AI suggestion — it is actual code merged into production branches of widely-used libraries, creating supply chain attack opportunities at scale. The attack surface is therefore not just the AI model but the entire trust architecture of software development pipelines that have been automated without compensating safeguards.

This finding connects to a broader and accelerating tension in AI deployment: the gap between AI systems' task-level competence and their vulnerability to adversarial manipulation of context. Claude can evaluate code quality effectively under normal conditions, but its reasoning is contingent on the integrity of the inputs it receives. When those inputs — in this case, commit metadata — can be cheaply falsified, the reliability of the AI's output degrades in ways that are not immediately visible to the humans nominally overseeing the process. This is a version of the prompt injection problem applied to software development infrastructure, where the "prompt" is the apparent trustworthiness of a contributor identity.

The Manifold Security disclosure arrives at a moment when agentic AI systems are being integrated into critical developer workflows at significant speed. Anthropic's Claude, along with competing models from OpenAI and Google, is being embedded in tools like GitHub Copilot Workspace and various CI/CD platforms, often with merge or approval authority. The episode underscores that deploying AI agents into high-stakes, adversarial environments requires not just capable models but robust surrounding verification architectures — cryptographic commit signing, multi-party approval requirements, and anomaly detection that operates independently of the AI reviewer's own judgment. Without those external controls, the expanding role of AI in software supply chains introduces systemic risks that sophisticated threat actors are already beginning to map and exploit.