How the Attack Works
Researchers at the AI Now Institute have demonstrated a new attack called “Friendly Fire” that tricks AI coding agents into executing malicious code during security reviews. The proof of concept targets Anthropic’s Claude Code and OpenAI’s Codex when operating in autonomous modes that approve their own commands. Instead of detecting threats as intended, these agents become the vector for compromise.
The attack plants a hidden binary inside an open source library like geopy, disguising it as a legitimate compiled Go file. A note in the README.md file suggests running a security script before opening a pull request. When the AI agent reads the README and follows the instruction, it executes the attacker’s binary on the host machine without any warning or approval prompt. The researchers found that Claude Sonnet 4.6, Sonnet 5, Opus 4.8, and GPT-5.5 all fell for the same injection technique, with newer models sometimes noticing the binary didn’t match its supposed source file but running it anyway.
Impact and Scope
This attack exploits a fundamental design flaw rather than a specific software bug. Unlike previous agent attacks that abused configuration files like .mcp.json which trigger trust prompts, this one hides instructions in README.md, a plain text file found in nearly every repository. The lack of trust prompts makes the opening much wider. Anthropic has shipped three patches for config file injection in the past six months, but this technique bypasses those protections entirely.
The researchers issued a blunt recommendation: do not hand untrusted code to an AI agent that can run commands and access your keys or host. Adding sandboxing helps but is not airtight, as Claude Code’s own sandbox has had escape bugs including a symlink flaw tracked as CVE-2026-39861. The underlying vulnerability is not new. Similar attacks like Adversa’s “TrustFall” and Tenet’s “Agentjacking” have exploited the same fundamental condition where untrusted text reaches an agent capable of executing commands. The research was shared with both Anthropic and OpenAI but falls outside their formal disclosure programs.
Source: The Hacker News
