AI Now Institute disclosed "Friendly Fire," a proof-of-concept attack showing that autonomous AI coding agents used to inspect or secure software repositories can be manipulated into executing attacker-controlled code on the host system. The demonstration targeted Anthropic Claude Code and OpenAI Codex when autonomous command-approval features were enabled, and used a malicious README prompt plus a disguised binary invoked through a script named security.sh while reviewing an untrusted open-source repository.
Researchers said the issue is a design-level weakness rather than a patchable, version-specific flaw, because the agents cannot reliably separate hostile repository content from instructions that appear relevant to their assigned task. The proof of concept, built from a modified geopy repository, reportedly required no elevated privileges or trust prompt and achieved code execution without user approval; AI Now said it has not observed in-the-wild abuse, released public research code with the payload removed, and urged organizations to keep command-capable agents away from untrusted codebases and sensitive environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
AI Now Institute published an exploit brief describing 'Friendly Fire,' a proof-of-concept attack showing that autonomous AI coding agents can be manipulated into executing attacker-controlled code while reviewing untrusted repositories. The research demonstrated the issue against Anthropic Claude Code and OpenAI Codex in autonomous command-approval modes and released public code with the payload removed.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethehackernews.com
Open sourceainowinstitute.org
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.