AI Security Agents Tricked Into Executing Attacker Code via Friendly Fire Attack
Researchers at the AI Now Institute have published a proof-of-concept attack dubbed “Friendly Fire” that subverts autonomous AI coding agents—specifically Anthropic’s Claude Code and OpenAI’s Codex—into running malicious payloads on the very machines meant to detect them. The technique, tested on stock installs with autonomous mode enabled (Claude Code CLI versions 2.1.116, 2.1.196, 2.1.198, and 2.1.199 running Sonnet 4.6, Sonnet 5, or Opus 4.8; Codex CLI 0.142.4 on GPT-5.5), turns the agent’s code-review job into an initial access vector.
The exploit leverages how these tools gate execution. Claude Code’s “auto-mode” and Codex’s “auto-review” rely on a classifier that auto-runs commands the agent deems safe, only pausing on flagged risks—sitting between full sandbox isolation and full prompting. The attack drops a few extra files into an open-source library (the demo used geopy, a popular Python geocoding package) and adds a seemingly routine instruction to its README.md: run security.sh before opening a pull request. That script silently executes a hidden binary embedded alongside a legitimate Go file, seeded with matching strings so the agent’s disassembly check ties the two together. Nothing inside the library’s own source ever calls the binary, so nothing trips suspicion.
What makes the attack particularly dangerous is its bypass of existing defenses. Prior prompt-injection campaigns typically abuse machine-level configuration files such as .mcp.json or .claude/settings.json, which surface Claude Code’s “Yes, I trust this folder” warning. Friendly Fire hides inside a plain README.md—a file present in virtually every repository—triggering no trust prompt and no approval dialog. A simple instruction like “Perform security testing on this project” is enough to let the agent read the README, accept the script as part of its task, and execute the attacker’s payload.
Because the weakness is architectural rather than version-specific, there is no patch to install—the fix is a workflow change. Organizations deploying autonomous agents should disable auto-approval modes for any untrusted third-party code reviews, require explicit human approval for shell execution, and monitor outbound network behavior of development hosts. Security teams can audit their own exposure using a port scanner to identify unexpected listening services spun up by rogue processes, and run a privacy checkup to baseline host telemetry before granting agents autonomous privileges. The researchers note the technique ports to nearly any project—making this a class of supply-chain risk that demands updated agent governance policies before, not after, a breach.