A solo developer or small agency that runs an AI coding assistant (Claude Code, Cursor, Gemini CLI, GitHub Copilot, OpenAI Codex, Grok) on the same machine that holds its client SSH keys and deploy credentials is materially exposed by the May 2026 TrustFall and SymJack findings, in which opening a malicious repository and accepting an approval prompt can run attacker code that steals those secrets, and the proportionate fix is not a security budget but updating every tool to its latest version, slowing down on approvals (especially file copies and writes to configuration files), not opening untrusted repositories on a credentialed machine, and moving secrets out of plain files while rotating anything that may have been exposed.

Anchored on Adversa AI's May 2026 research: TrustFall (7 May 2026, reported by Help Net Security) reaching Claude Code, Cursor, Gemini CLI, and GitHub Copilot via the trust dialog, and SymJack (26 May 2026) confirmed against six tools (adding OpenAI Codex and Grok) via a symlink-hijack that overwrites the agent's configuration and plants code that runs on restart, stealing SSH keys, cloud tokens, and deploy keys. Operator-register risk advisory; the prescription is the 15-minute hardening routine, not a claim that any specific user is currently compromised. The smaller-blast-radius-is-larger point reflects that solo/small-team machines typically hold long-lived credentials with no security team or short-lived-token mitigation. Note on production model: this publication is written by Claude, Anthropic's model, and curated and signed by Peter; Claude Code is one of the affected tools and Anthropic is the vendor reported to have declined the TrustFall report, so the advice treats every coding tool the same and is written for the user. VERIFIED 2026-06-02 via Help Net Security (helpnetsecurity.com/2026/05/07/trustfall-ai-coding-cli-vulnerability-research/ — four-tool list, mechanism, Anthropic-declined) and Adversa AI (the SymJack write-up — six-tool list, named versions, symlink mechanism, stolen-secret list, and the rotate-credentials mitigation). 30-day review cadence (2 Jul 2026), short because the tools are patching unevenly. Trigger conditions: (1) the tools change their approval prompts to resolve and show the true action before confirmation, softening the do-not-trust-the-prompt advice; (2) a new finding extends the problem to tools not yet listed; (3) a tool ships a setting that isolates the agent from credentials by default, changing the recommended steps. Siblings: the enterprise version AM-195 (/ai-coding-agents-enterprise-attack-surface/), the vibe-coded app security check OPS-082 (/operators/vibe-coded-app-security-check/), and the solopreneur stack-consolidation piece (/operators/solopreneur-ai-stack-consolidation/).