Full Report
Forged metadata made AI reviewer treat hostile changes as though they came from known maintainer Security boffins say Anthropic's Claude can be tricked into approving malicious code with just two Git commands by spoofing a trusted developer's identity.…
Analysis Summary
# Tool/Technique: Git Identity Spoofing for AI Agent Bypass
## Overview
This technique involves the manipulation of Git commit metadata (author name and email) to impersonate a trusted developer or maintainer. The objective is to deceive AI-powered automated code review systems (specifically those utilizing LLMs like Anthropic's Claude) into bypassing security scrutinization and auto-approving malicious code based on the perceived reputation of the spoofed author.
## Technical Details
- **Type**: Technique / Social Engineering (Digital)
- **Platform**: Git-based Version Control Systems (GitHub, GitLab, Bitbucket) integrated with AI-driven CI/CD workflows.
- **Capabilities**: Identity impersonation, security control bypass, unauthorized code injection.
- **First Seen**: Reported by Manifold Security, April 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0005 - Defense Evasion]**
- [T1553 - Subvert Trust Controls]
- [T1036 - Masquerading]
- **[TA0042 - Resource Development]**
- [T1585 - Establish Accounts (Spoofing identity)]
## Functionality
### Core Capabilities
- **Metadata Forgery**: Utilizing standard Git configuration commands to set `user.name` and `user.email` to match those of a high-trust repository maintainer.
- **Trust Hijacking**: Exploiting the logic of AI reviewers that use "Author Identity" as a weighted signal for trust, leading to "shallow" reviews or auto-approvals for spoofed "trusted" entities.
### Advanced Features
- **Workflow Automation Exploitation**: Targeting specific CI/CD pipelines where "known legends" or org members have their Pull Requests (PRs) fast-tracked by LLM agents.
- **Contextual Deception**: Crafting malicious commits that appear consistent with the spoofed maintainer's previous work to further lower the AI's "suspicion" threshold.
## Indicators of Compromise
- **File Hashes**: N/A (Technique-based)
- **File Names**: N/A
- **Registry Keys**: N/A
- **Network Indicators**: N/A
- **Behavioral Indicators**:
- Commits appearing from trusted maintainers that are **unsigned** (missing GPG/SSH signatures).
- Unusually high volume of PR approvals by AI agents in short timeframes.
- Commits from authorized emails originating from unexpected IP addresses or SSH keys (if logged by the VCS).
## Associated Threat Actors
- **Prototypical/Research**: Manifold Security (Proof of Concept).
- **Potential Groups**: Supply chain attackers and Repo-Jackers (e.g., similar to actors involved in the XZ Utils/liblzma backdoor style of social engineering).
## Detection Methods
- **Signature-Based**: Monitor for commits that lack a `Verified` status despite claiming to be from "Core Maintainers."
- **Behavioral Detection**:
- Implement monitoring for discrepancies between Git Author metadata and the authenticated user account pushing the code.
- Flag AI-approved PRs where the author identity was the primary factor in reducing code analysis depth.
- **Audit Logs**: Review repository logs for `git config` changes in automated environments.
## Mitigation Strategies
- **Enforce Commit Signing**: Require GPG, SSH, or S/MIME signing for all commits. Configure repositories to reject any unsigned commits (GitHub's "vouching" or "vigilant mode").
- **Identity Verification**: AI agents must verify identity via cryptographic signatures or platform-native authentication (e.g., GitHub's OIDC) rather than relying on easily forged Git headers.
- **Zero-Trust Code Review**: Configure AI models to evaluate code changes based solely on the logic and security implications of the diff, regardless of the perceived author’s reputation.
- **Branch Protection**: Disable auto-approval workflows for sensitive branches (main/master) even for "trusted" users.
## Related Tools/Techniques
- **[T1195] Supply Chain Compromise**: General tactic of poisoning dependencies.
- **XZ Utils Backdoor (Social Engineering aspect)**: Gaining trust over time to inject malicious code.
- **Typosquatting**: Impersonating a package name; this technique instead impersonates a person.