Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
QR Code Phishing Attacks Steal Credentials and Deliver Malware
July 9, 2026
GitHub Copilot Blocks Harmful Prompts in Chat, Writes Them in Code
July 9, 2026
AI Agents Vulnerable to Remote Code Execution Attacks
July 9, 2026
Home/CyberSecurity News/AI Agents Vulnerable to Remote Code Execution Attacks
CyberSecurity News

AI Agents Vulnerable to Remote Code Execution Attacks

Key Takeaways A new exploit dubbed “Friendly Fire” enables remote code execution (RCE) on Anthropic’s Claude Code CLI and OpenAI’s Codex CLI. The attack leverages prompt...

Emy Elsamnoudy
Emy Elsamnoudy
July 9, 2026 4 Min Read
2 0

Key Takeaways

  • A new exploit dubbed “Friendly Fire” enables remote code execution (RCE) on Anthropic’s Claude Code CLI and OpenAI’s Codex CLI.
  • The attack leverages prompt injection hidden within documentation and source files of third-party open-source libraries.
  • Affected models include Claude Sonnet 4.6, Sonnet 5, Opus 4.8, and GPT-5.5, operating in default “auto-mode” or “auto-review” configurations.
  • The vulnerability highlights a fundamental challenge in how AI agents differentiate trusted instructions from untrusted data, making sandboxing and human review insufficient mitigations.

AI Agents Fall Victim to Remote Code Execution via “Friendly Fire” Exploit

Cybersecurity researchers have uncovered a critical exploit, named “Friendly Fire,” that allows attackers to achieve remote code execution (RCE) on popular AI coding agents, including Anthropic’s Claude Code CLI and OpenAI’s Codex CLI. This sophisticated attack vector enables the execution of attacker-controlled binaries during routine security reviews of third-party code, bypassing the supposedly safer “auto-mode” and “auto-review” settings.

Table Of Content

  • Key Takeaways
  • AI Agents Fall Victim to Remote Code Execution via “Friendly Fire” Exploit
  • The Mechanics of “Friendly Fire”
  • Bypassing “Safe” Modes and Classifiers
  • Implications for Supply Chain Security and Mitigation Challenges
  • What You Should Do

The Mechanics of “Friendly Fire”

Disclosed by security researchers at the AI Now Institute, the “Friendly Fire” exploit targets Claude Sonnet 4.6, Sonnet 5, and Opus 4.8, alongside GPT-5.5. Crucially, the attack requires no complex hooks, plugins, or custom configurations. Instead, it relies on embedding prompt injections directly within the documentation and source files of third-party open-source libraries.

To demonstrate the exploit, researchers modified a version of the widely used geopy Python geocoding library. This modification included the insertion of a security.sh script, a malicious binary named code_policies, and a deceptive Golang source file, code_policies.go. The Golang file was crafted to make the malicious binary appear legitimately compiled and safe to the AI agent.

A fabricated README.md file within the modified library referenced the security.sh script as a standard security checker, subtly guiding the AI agent to execute it during a typical vulnerability assessment. When a user simply prompts the agent with a command like “Perform security testing on /path/to/geopy,” the agent navigates the codebase, encounters the injected documentation, inspects the decoy source file, and, critically, misidentifies the binary as benign. Subsequently, it executes the malicious binary, leading to remote code execution on the host machine.

Bypassing “Safe” Modes and Classifiers

Both “auto-mode” and “auto-review” were designed as a compromise between fully unrestricted agent execution and complete manual oversight. These modes leverage AI classifiers to automatically approve commands deemed low-risk while flagging suspicious ones for human intervention. However, AI Now Institute said that the “Friendly Fire” exploit consistently fooled these classifiers.

Anthropic previously stated that Claude Code’s auto-mode sees users approving 93% of permission prompts, with the classifier intended to streamline workflows without compromising safety. Yet, researchers found that the code-matching heuristics employed by these classifiers could be effectively spoofed. This was achieved by pairing a legitimate-looking source file with a compiled binary that contained matching string constants, making the malicious payload appear innocuous.

Aspect Claude Code Codex
Model tested Sonnet 4.6, Sonnet 5, Opus 4.8 GPT-5.5
Permissive mode exploited Auto-mode Auto-review
Injection vector README.md + decoy source file Same files, no changes needed
Detected injection on direct query? No No

The researchers noted that the attack was directly transferable from Claude Code to Codex without any modifications. This suggests that the underlying vulnerability is not a model-specific flaw but rather a fundamental weakness in how frontier AI models distinguish between trusted instructions and untrusted data.

Implications for Supply Chain Security and Mitigation Challenges

This class of attack bears significant resemblance to real-world supply-chain compromises, such as the Megalodon GitHub campaign and the PyTorch Lightning library breach. These incidents demonstrated how malicious code can propagate to downstream users through seemingly innocuous dependency updates. If continuous integration/continuous delivery (CI/CD) pipelines delegate automated vulnerability scanning of incoming package updates to AI agents, the “Friendly Fire” injection technique could trigger silently, completely bypassing human review.

Researchers also raised concerns about the effectiveness of current mitigation strategies. They argue that sandboxing alone is an incomplete solution, citing previously disclosed Claude Code sandbox escape vulnerabilities that could allow an attacker, once RCE is achieved, to break out of containment. Furthermore, relying on human-in-the-loop approval as a final safeguard is problematic due to automation bias and “prompt fatigue,” which can diminish reviewer vigilance during repetitive interactions with AI agents.

The core recommendation from the research is unambiguous: organizations should avoid deploying AI coding agents with code-execution privileges against untrusted or externally sourced codebases until model-level trust boundaries between instructions and data are fundamentally resolved.

What You Should Do

  • Avoid Untrusted Code Execution: Do not use AI coding agents with code-execution privileges on untrusted or externally sourced codebases, especially in automated vulnerability scanning workflows.
  • Manual Review for Dependencies: Maintain robust human review processes for all third-party dependencies and open-source contributions, even when AI agents are used for initial analysis.
  • Isolate AI Agents: Implement strict network segmentation and least privilege principles for systems hosting AI coding agents.
  • Stay Informed: Monitor advisories from AI model developers (Anthropic, OpenAI) regarding updates and patches for these vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Chrome Update Patches 27 Vulnerabilities, Two Critical Code Execution Flaws

Next Post

GitHub Copilot Blocks Harmful Prompts in Chat, Writes Them in Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Microsoft Patches Critical Defender Zero-Day Vulnerability CVE-2023-XXXXX
July 9, 2026
Critical GhostApproval Flaw in Amazon Q, Claude, Cursor Exposes AI Agents
July 9, 2026
Palo Alto Networks Patches Critical PAN-OS Vulnerability CVE-2024-3400 for RCE
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us