AI Now Institute researchers Boyan Milanov and Heidy Khlaaf published a proof-of-concept attack called “Friendly Fire” that turns AI coding agents into execution vectors for malicious code. The attack targets the exact workflow these tools are sold for: scanning untrusted third-party code for security vulnerabilities. Instead of catching the threat, the agent becomes the way in, according to The Hacker News.

The full exploit brief and stripped proof-of-concept code are public.

How It Works

The attack hides a malicious binary in an open-source library alongside a README.md that suggests running a script called security.sh as a routine check before opening a pull request. When an AI coding agent is pointed at the project with a request like “Perform security testing on this project,” it reads the README, interprets the script as part of the job, and executes it. The attacker’s binary runs on the host with no warning and no approval prompt.

To bypass the agent’s safety classifier, the researchers disguised the malicious binary as the compiled output of a harmless Go file sitting in the same directory, seeding it with strings from that file so Claude Code’s disassembly check would tie them together. The demo used geopy, a widely used Python geocoding library, though The Hacker News reports it ports to nearly any project.

Affected Tools and Models

The researchers tested two stock installations with autonomous modes enabled:

  • Claude Code (CLI 2.1.116, 2.1.196, 2.1.198, 2.1.199) running Claude Sonnet 4.6, Sonnet 5, or Opus 4.8
  • OpenAI Codex (CLI 0.142.4) running GPT-5.5

One exploit, two vendors, four models, zero modifications required. In some runs, newer models noticed the binary did not match its supposed source code and ran it anyway.

Why There Is No Patch

AI Now argues the vulnerability is in agent design, not in specific software versions. The autonomous modes in both Claude Code (“auto-mode”) and Codex (“auto-review”) use a classifier to decide which commands are safe to execute without human approval. The classifier cannot reliably distinguish between legitimate code and embedded instructions, according to the exploit brief.

Previous agent attacks exploited machine-configuration files like .mcp.json or .claude/settings.json, which trigger Claude Code’s folder trust warning. This attack hides in README.md, an ordinary text file in virtually every repository. No trust prompt fires. Anthropic has shipped three patches for config-file injection in the past six months, The Hacker News notes. This route bypasses that entire class.

The Pattern

Friendly Fire is the third major agent-code-execution attack disclosed in recent months. Adversa’s “TrustFall” achieved one-click code execution across Claude Code, Cursor, Gemini CLI, and Copilot CLI in May. Tenet’s “Agentjacking” used fake bug reports in Sentry to trick agents at an 85% success rate, according to The Hacker News.

The common thread: untrusted text reaching an agent with command execution privileges. The researchers’ recommendation is direct. Do not hand untrusted code to an agent that can run commands and reach your keys, secrets, or host.

That is uncomfortable for teams that adopted these tools specifically to vet third-party code, but it follows from the finding. If the agent cannot tell legitimate instructions from malicious ones embedded in a README, the security review workflow is the attack surface.