Researchers at Novee Security uncovered a critical vulnerability in Google's Gemini CLI that allowed attackers to execute arbitrary code on host machines — no prompt injection required. The flaw stemmed from Gemini CLI automatically trusting the current workspace folder, loading any agent configuration found there without sandboxing or human approval. A planted malicious config could expose secrets, credentials, and source code. In CI/CD pipelines, the risk escalated to full supply chain attacks. Google has since patched both Gemini CLI and the run-gemini-cli GitHub Action. The incident highlights a growing concern: AI coding agents now operate with trusted contributor-level access inside developer workflows.
Source: SecurityWeek