Friendly Fire turned AI code reviewers into the attack path
AI Now researchers showed that Claude Code and Codex could be tricked into running attacker code while reviewing an untrusted library for security problems. With optional modes that let safety classifiers approve commands without a person checking each one, injected instructions got a disguised payload past the automated check. The controlled proof of concept achieved first-stage attacker-controlled execution on the review machine, without demonstrating sandbox escape, persistence, privilege escalation, or lateral movement. The Hacker News reported no known real-world use.
Incident Details
Tech Stack
References
A security scan became code execution
AI Now Institute published the Friendly Fire proof of concept on July 8, 2026. Researchers gave stock installations of Anthropic's Claude Code and OpenAI's Codex a routine defensive assignment: inspect a locally available, attacker-modified library for security problems. With optional autonomous command-review modes switched on, an automated classifier could approve commands without a person checking each one. Both agents ran the payload they were supposed to detect.
AI Now described the result as remote code execution: the review workflow caused code chosen by an attacker to run on the machine hosting the agent. The researchers used prompt injection, where text supplied as data is written to make a model treat it as an instruction. The injection lived in the library's documentation and steered the agents toward a shell script, a file of operating-system commands, presented as a security checker.
Friendly Fire was controlled research. It did not report compromised customers. A security reviewer has to read hostile material. Giving that reviewer authority to run commands means its approval system must remain reliable while processing content deliberately designed to mislead it. The proof showed that this approval system could be persuaded by the evidence under examination.
Auto-mode and auto-review
The tested setup does not support a claim that any coding agent can be hacked. The researchers installed Claude Code or Codex on Linux systems or packaged software containers without extra extensions or custom configuration.
Claude Code ran with its optional auto-mode; Codex ran with its optional auto-review. Commands the classifier considers risky should pause for a person. Commands it approves proceed without that review. The feature preserves enough autonomy for a long security task while trying to keep a safety check between the agent and the operating system. Friendly Fire defeated that check.
AI Now reported testing Claude Code command-line client versions 2.1.116, 2.1.196, 2.1.198, and 2.1.199 with Claude Sonnet 4.6, Sonnet 5, and Opus 4.8. It tested Codex client version 0.142.4 with GPT-5.5. Those tested setups do not establish an affected-version range. The researchers also warned that model output is not deterministic, meaning repeated runs can differ, and that results may change with the model, local environment, or changes to a vendor's hosted service.
How the disguised payload passed
The demonstration modified a local copy of geopy, a legitimate open-source Python library. The choice was illustrative; the researchers did not accuse the real project of distributing the attack. Their copy added documentation, a shell script named security.sh, a precompiled executable program named code_policies, and a benign source-code file written in Go named code_policies.go.
The added README.md recommended running security.sh as part of a security check before submitting code changes. The script referred to familiar analysis tools, but it also launched code_policies, which carried the research payload. No function in the modified library called that program. The agent had to decide to run it after reading the documentation.
The harmless Go file gave the binary a plausible cover story. Its filename suggested that it was the source from which code_policies had been compiled. The researchers also placed strings from the benign source inside the disguised binary. That detail mattered because Claude Code sometimes inspected binaries before execution. Matching names and strings helped the malicious file resemble an ordinary compiled security utility.
The operator's request was simply to perform security testing on the local project. The agents read the injected documentation, inspected the script and files, classified the command as safe, and ran either the script or the binary. The script then launched the payload. In some tests, newer models noticed that the binary and source did not quite match, yet executed the binary anyway. A warning inside a model's reasoning is not much of a safeguard when the same system approves the command.
Optional does not mean irrelevant
auto-mode and auto-review were optional, and the attack required one of them. A person using a mode that pauses for every command would face a separate approval decision. The proof therefore does not support claims that every default Claude Code or Codex session would execute this chain.
Optional autonomy still belongs in the risk assessment. These modes exist because repeated manual approvals interrupt long-running work. Security scanning is one of the workloads used to justify that autonomy. The feature's practical bargain is straightforward: let a classifier handle routine approvals so the operator can step away. When attacker-controlled documentation can influence the work and the approval layer clears the resulting command, the promised supervision has been automated out of the important moment.
The experiment stopped before customer damage, but the foothold could reach far beyond the review task. Attacker-chosen code receives whatever access the agent process and its environment already have. That environment may contain source code or credentials and may connect to build systems or sensitive infrastructure. The researchers did not demonstrate abuse of those assets.
The Hacker News described the work as a laboratory proof of concept with no reported exploitation in the wild. That is a reporting status, not proof the technique was never used. AI Now said it contacted Anthropic and OpenAI and offered help reproducing the findings. Neither the AI Now disclosure nor The Hacker News article included a vendor response or identified a patch.
AI Now argued the risk outlives a version patch
AI Now's conclusion went beyond the tested client builds. The institute argued that a version update cannot fully resolve a design that asks a language model to interpret untrusted code while retaining authority to execute commands. Attackers can rewrite malicious instructions and disguise programs in more ways than a model-based classifier can reliably enumerate, according to the researchers.
AI Now presented an architectural argument. The tests do not establish how every future release will behave. The research itself records variability. A model may reject the files on one run, approve them on another, or behave differently after a service change. The listed client and model versions show where the team reproduced the attack; they do not define all vulnerable or safe versions.
The public repository contains a code_policies program stripped of malicious behavior. AI Now said it would provide the original payload to AI laboratories or security researchers.
Disabling autonomous approval, isolating the agent, and reducing its access can limit consequences. AI Now remained skeptical that model-level filtering could close every route. Whether that stronger claim holds over time, the experiment documented a concrete defect: the safety classifier approved attacker-chosen execution during a task built around distrusting attacker-controlled code.
Defensive AI must survive hostile input
Security review creates an unusually unforgiving boundary. Ordinary assistants may encounter malicious text by accident. A defensive agent is sent directly into code and documentation that may have been prepared by an attacker. Treating those materials as trustworthy guidance defeats the reason for inspecting them.
Comment and Control exposed a related GitHub-hosted route: hostile pull-request titles, issue bodies, and comments steered agents into inspecting processes and leaking credentials through comments, logs, or commits. Friendly Fire stayed local. An operator pointed an autonomous Claude Code or Codex review at an attacker-modified library, and poisoned documentation plus a disguised binary persuaded the approval classifier to execute the payload on the review machine. The shared weakness was untrusted text gaining authority; the entry point and demonstrated harm were different.
The researchers did not demonstrate escape from a sandbox, which is an isolated environment intended to contain untrusted programs. They did not establish persistence, meaning a way for the payload to remain after the initial run; privilege escalation, meaning gaining more authority than the agent process already had; or lateral movement into other systems. None of those omissions makes the first execution harmless, but each one matters when describing what was actually proved.
The agent needed access to suspicious files to do useful work, and optional autonomous approval let it run tools without a person checking each step. The design asked automated command review to supply human-like suspicion while the agent processed material chosen by an adversary. In the demonstration, that review cleared the adversary's binary for execution.
Discussion