AI Agents Vulnerable to Remote Code Execution Attacks
Key Takeaways A new exploit dubbed “Friendly Fire” enables remote code execution (RCE) on Anthropic’s Claude Code CLI and OpenAI’s Codex CLI. The attack leverages prompt...
Key Takeaways
- A new exploit dubbed “Friendly Fire” enables remote code execution (RCE) on Anthropic’s Claude Code CLI and OpenAI’s Codex CLI.
- The attack leverages prompt injection hidden within documentation and source files of third-party open-source libraries.
- Affected models include Claude Sonnet 4.6, Sonnet 5, Opus 4.8, and GPT-5.5, operating in default “auto-mode” or “auto-review” configurations.
- The vulnerability highlights a fundamental challenge in how AI agents differentiate trusted instructions from untrusted data, making sandboxing and human review insufficient mitigations.
AI Agents Fall Victim to Remote Code Execution via “Friendly Fire” Exploit
Cybersecurity researchers have uncovered a critical exploit, named “Friendly Fire,” that allows attackers to achieve remote code execution (RCE) on popular AI coding agents, including Anthropic’s Claude Code CLI and OpenAI’s Codex CLI. This sophisticated attack vector enables the execution of attacker-controlled binaries during routine security reviews of third-party code, bypassing the supposedly safer “auto-mode” and “auto-review” settings.
Table Of Content
The Mechanics of “Friendly Fire”
Disclosed by security researchers at the AI Now Institute, the “Friendly Fire” exploit targets Claude Sonnet 4.6, Sonnet 5, and Opus 4.8, alongside GPT-5.5. Crucially, the attack requires no complex hooks, plugins, or custom configurations. Instead, it relies on embedding prompt injections directly within the documentation and source files of third-party open-source libraries.
To demonstrate the exploit, researchers modified a version of the widely used geopy Python geocoding library. This modification included the insertion of a security.sh script, a malicious binary named code_policies, and a deceptive Golang source file, code_policies.go. The Golang file was crafted to make the malicious binary appear legitimately compiled and safe to the AI agent.

A fabricated README.md file within the modified library referenced the security.sh script as a standard security checker, subtly guiding the AI agent to execute it during a typical vulnerability assessment. When a user simply prompts the agent with a command like “Perform security testing on /path/to/geopy,” the agent navigates the codebase, encounters the injected documentation, inspects the decoy source file, and, critically, misidentifies the binary as benign. Subsequently, it executes the malicious binary, leading to remote code execution on the host machine.
Bypassing “Safe” Modes and Classifiers
Both “auto-mode” and “auto-review” were designed as a compromise between fully unrestricted agent execution and complete manual oversight. These modes leverage AI classifiers to automatically approve commands deemed low-risk while flagging suspicious ones for human intervention. However, AI Now Institute said that the “Friendly Fire” exploit consistently fooled these classifiers.
Anthropic previously stated that Claude Code’s auto-mode sees users approving 93% of permission prompts, with the classifier intended to streamline workflows without compromising safety. Yet, researchers found that the code-matching heuristics employed by these classifiers could be effectively spoofed. This was achieved by pairing a legitimate-looking source file with a compiled binary that contained matching string constants, making the malicious payload appear innocuous.
| Aspect | Claude Code | Codex |
|---|---|---|
| Model tested | Sonnet 4.6, Sonnet 5, Opus 4.8 | GPT-5.5 |
| Permissive mode exploited | Auto-mode | Auto-review |
| Injection vector | README.md + decoy source file | Same files, no changes needed |
| Detected injection on direct query? | No | No |
The researchers noted that the attack was directly transferable from Claude Code to Codex without any modifications. This suggests that the underlying vulnerability is not a model-specific flaw but rather a fundamental weakness in how frontier AI models distinguish between trusted instructions and untrusted data.
Implications for Supply Chain Security and Mitigation Challenges
This class of attack bears significant resemblance to real-world supply-chain compromises, such as the Megalodon GitHub campaign and the PyTorch Lightning library breach. These incidents demonstrated how malicious code can propagate to downstream users through seemingly innocuous dependency updates. If continuous integration/continuous delivery (CI/CD) pipelines delegate automated vulnerability scanning of incoming package updates to AI agents, the “Friendly Fire” injection technique could trigger silently, completely bypassing human review.
Researchers also raised concerns about the effectiveness of current mitigation strategies. They argue that sandboxing alone is an incomplete solution, citing previously disclosed Claude Code sandbox escape vulnerabilities that could allow an attacker, once RCE is achieved, to break out of containment. Furthermore, relying on human-in-the-loop approval as a final safeguard is problematic due to automation bias and “prompt fatigue,” which can diminish reviewer vigilance during repetitive interactions with AI agents.
The core recommendation from the research is unambiguous: organizations should avoid deploying AI coding agents with code-execution privileges against untrusted or externally sourced codebases until model-level trust boundaries between instructions and data are fundamentally resolved.
What You Should Do
- Avoid Untrusted Code Execution: Do not use AI coding agents with code-execution privileges on untrusted or externally sourced codebases, especially in automated vulnerability scanning workflows.
- Manual Review for Dependencies: Maintain robust human review processes for all third-party dependencies and open-source contributions, even when AI agents are used for initial analysis.
- Isolate AI Agents: Implement strict network segmentation and least privilege principles for systems hosting AI coding agents.
- Stay Informed: Monitor advisories from AI model developers (Anthropic, OpenAI) regarding updates and patches for these vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.