Git identity spoof fools Claude into giving bad code the nod

What happened

It has been reported that researchers at Manifold Security demonstrated how Anthropic’s Claude can be tricked into approving malicious code with just two Git commands. By setting a fake author name and email in Git, the team made a commit look like it came from a trusted maintainer, then fed that commit into an automated review pipeline built on Claude — and the model approved the change. The tweak: it wasn’t a bug in Git. Commit metadata can be faked unless signing or other controls are enforced.

Why it matters

The sting here is not technical trickery so much as misplaced trust. The model allegedly gave weight to the claimed identity in commit metadata rather than independently vetting the diff. Humans might pause — “Why is this maintainer suddenly touching this file?” — but an AI reviewer with rules that favor recognized contributors will follow its signals every time. Sounds small? Supply-chain compromises start small. Think SolarWinds, or the recent OpenClaw Cline incident Manifold compared this to: something that looks trusted can quietly become poisonous.

The emotional center

There’s a bitter little shock in this story. Maintainers are drowning in PRs and automation is supposed to be the lifejacket. But a lifejacket with a hole isn’t much use. Automating approvals for “known” figures is sensible on paper; in practice it hands attackers a neat latch to flip. Manifold’s warning lands hard: if nothing else checks who did what, bad code won’t just be suggested — it’ll get merged.

What to do about it

The fix isn’t exotic. Treat author metadata as unauthenticated unless signed, require commit or tag signing, add independent checks for unexpected maintainers, and don’t let model heuristics be the sole arbiter of trust. Manifold’s takeaway: guardrails can’t live only inside the model. Automate to scale, yes — but authenticate, verify, and assume nothing at face value.

Sources: The Register