2026 Git Identity Spoofing: How Hackers Trick Claude AI into Approving Malicious Code

2026 Git Identity Spoofing: How Hackers Trick Claude AI into Approving Malicious Code

Git identity spoofing has successfully deceived Anthropic’s Claude AI code review system into approving malicious code by impersonating trusted maintainers. According to The Register, security researchers demonstrated that just two Git commands—altering the commit author’s name and email—were sufficient to make Claude treat hostile code changes as legitimate contributions from verified developers. This exploit undermines the foundational trust model of AI-assisted code review, where identity verification is assumed to be secure.

How Git Identity Spoofing Works

The attack exploits Claude’s reliance on unverified Git metadata to authenticate contributor identity. By setting user.name and user.email to match those of a known maintainer—often one whose email is publicly associated with a repository—the attacker bypasses identity checks. Claude lacks cryptographic verification of commit signatures, so forged entries are treated as genuine. Controlled experiments confirmed malicious patches were accepted after being attributed to trusted authors.

GitHub’s Attribution Flaw: The cjsys-ux Case

GitHub Issue #24766 reveals a critical systemic vulnerability: the account "cjsys-ux," created in November 2025, is linked to the email [email protected]. This misconfiguration causes GitHub to attribute over 723 commits across public and private repos to an unknown user, creating fertile ground for impersonation. While Anthropic hasn’t confirmed the account’s legitimacy, its existence suggests internal misconfigurations that could be weaponized by attackers.

Anthropic’s Workflow Vulnerabilities

Anthropic’s Claude Code Action workflow previously suffered from a critical flaw: Pull Request #1066 showed the CLI was reading sensitive configuration files (.mcp.json, .claude/settings.json) from the working directory before enforcing permission checks. This allowed PR authors without write access to inject arbitrary shell commands—potentially enabling remote code execution. The fix—restoring these files from the PR base branch—was merged, but highlights a dangerous pattern: trusting unvetted local state in CI/CD pipelines.

How to Protect Your AI Code Review System

Organizations must implement multi-layered defenses to secure AI-powered code review:

• Enforce GPG commit signing to cryptographically verify authorship
• Require verified GitHub identities via SSO or 2FA for all contributors
• Disable permissive bot triggers like allowed_bots: '*' in workflows
• Integrate blockchain-based provenance tracking for commit history
• Train AI models to detect anomalies in authorship patterns, not just metadata

Unlike human reviewers who contextualize behavior, Claude currently lacks provenance awareness. Without cryptographic identity verification, AI systems remain vulnerable to the oldest trick in the attacker’s playbook: impersonation. The fix must go beyond patching workflows—it requires rethinking how AI authenticates human intent in software development.