Skip to main content
CybersecurityHacking

AI Code Reviewer Vulnerable to Git Identity Spoofing

Masked figure in hoodie sits before laptop with Git repository, surrounded by distorted identity symbols.

What happens when the digital signature you rely on to tell friend from foe can be faked in two lines of commands? Security researchers say they found that Anthropic’s Claude — an AI reviewer used to vet code changes — can be fooled into endorsing hostile alterations simply by forging Git metadata to impersonate a trusted maintainer.

What researchers reported

Security researchers discovered a straightforward manipulation that made an AI-based code reviewer treat adversarial changes as if they came from a known, trusted developer. According to the report, forged metadata caused the reviewer to accept hostile code as though it were authored by a maintainer the system recognized. The team said the trick required only two Git commands to spoof the developer’s identity and gain the AI reviewer’s approval of the malicious changes.

How the attack worked, in brief

The core of the finding is simple: metadata associated with Git commits was altered to impersonate a trusted contributor. That falsified provenance led the AI reviewer to treat the changes differently than it would if the author field showed an unknown or suspicious source. The researchers demonstrated the effect by using two Git commands to perform the spoofing and then observing that the AI reviewer — Claude, in this instance — approved the hostile code.

Why this matters

The episode highlights an intersection of two trust layers: human-assigned identity metadata in source control systems and automated trust decisions made by AI tools. When an AI reviewer relies on commit metadata as a signal of author identity or reputation, tampering with that metadata can change the outcome of automated reviews. The researchers’ demonstration shows that a relatively small set of operations — in this case, two Git commands — can be sufficient to manipulate that signal and get malicious changes signed off by the AI.

Perspectives and stakes

  • For technologists: the finding suggests a need to reassess which signals AI review systems treat as authoritative, and how those signals can be validated before influencing decisions.
  • For organizations that deploy AI-assisted review: the test underscores the importance of considering how provenance and identity are established and protected within development workflows.
  • For users and defenders: the demonstration is a reminder that automated approvals can be subverted if upstream assumptions about metadata integrity are not enforced.
  • For adversaries: the work points to a low-effort avenue to influence automated code review outcomes where metadata controls are lax.

Security researchers framed the result as a practical proof-of-concept: forged Git metadata leading an AI reviewer to treat hostile code as though it had come from a trusted maintainer, using only two Git commands to accomplish the identity spoofing. That succinct demonstration forces a simple question: if the signals AI systems rely on can be faked so readily, what steps must organizations take to ensure automated reviewers make safe, reliable decisions?

https://go.theregister.com/feed/www.theregister.com/2026/04/16/git_identity_spoof_claude/