Critical Vulnerability Allows Remote Code Execution in AI Agents

Recent research has uncovered a significant security flaw in AI coding assistants, notably Anthropic’s Claude Code CLI and OpenAI’s Codex CLI. This vulnerability, termed “Friendly Fire,” enables attackers to execute malicious code remotely by embedding deceptive instructions within third-party codebases.

The exploit targets specific versions of these AI agents, including Claude Sonnet 4.6, Sonnet 5, Opus 4.8, and GPT-5.5. By default, these agents operate in “auto-mode” or “auto-review” configurations, which are designed to streamline security assessments by automatically approving commands deemed low-risk and flagging potentially harmful ones for human review.

Attackers can manipulate this system by inserting malicious scripts and binaries into the documentation and source files of open-source libraries. For instance, researchers modified the geopy Python library by adding a script named security.sh, a harmful binary called code_policies, and a decoy Golang source file, code_policies.go, to make the binary appear legitimate. A reference to the security.sh script was also added in the README.md file, suggesting it as a routine security checker.

When an AI agent is prompted to perform a security review on such a compromised library, it processes the documentation, inspects the decoy source file, and, misled by the deceptive content, executes the malicious binary. This results in remote code execution on the host machine without any user intervention.

Both Anthropic and OpenAI have promoted their respective auto-mode and auto-review features as safer alternatives to unrestricted agent execution. These modes utilize AI classifiers to minimize unnecessary user prompts while maintaining security. However, the “Friendly Fire” exploit demonstrates that these classifiers can be deceived by cleverly crafted malicious content, leading to unauthorized code execution.

Notably, this attack method is not limited to a single AI agent. The same technique was successfully applied to both Claude Code and Codex without any modifications, indicating a broader issue in how AI models differentiate between trusted instructions and untrusted data.

This vulnerability is particularly concerning in the context of real-world supply chain attacks. Malicious code can infiltrate downstream users through dependency updates, as seen in incidents like the Megalodon GitHub campaign and the PyTorch Lightning library breach. If continuous integration and deployment (CI/CD) pipelines rely on AI agents for automated vulnerability scanning of incoming package updates, this injection technique could be exploited without human oversight.

While sandboxing AI agents is a common security measure, it may not be sufficient. Previous disclosures have revealed sandbox escape vulnerabilities in Claude Code, suggesting that attackers with initial access could potentially bypass these protections.

In light of these findings, it’s imperative for developers and organizations to reassess the security configurations of their AI coding assistants. Implementing stricter input validation, enhancing the scrutiny of third-party code, and maintaining a vigilant approach to dependency management are crucial steps to mitigate the risks associated with this vulnerability.