ctipilot.ch

Friendly Fire (AI Now Institute exploit)

campaign · campaign:friendly-fire-ai-agent-defensive-hijack

AI Now Institute proof-of-concept in which a two-layer indirect prompt injection embedded in an untrusted repository's own files (a decoy Go source paired with a malicious binary, plus a README steering the agent to run a bundled script) hijacks Claude Code (auto-mode) and OpenAI Codex CLI (auto-review) into executing attacker code during a defensive security review, achieving RCE with no hooks, plugins, MCP servers or config files required (AI Now Institute, 2026-07-08).

Coverage timeline
1
first 2026-07-11 → last 2026-07-11
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
1
see Related entities below
ATT&CK techniques
3
pinned v19.1 · see below

Hunting pivots

Affected products
Anthropic Claude Code CLIOpenAI Codex CLI

ATT&CK techniques

3 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools×1

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.

Evidence: 2026-07-11/friendly-fire-prompt-injection-rce-defensive-ai-agents · ATT&CK page ↗

Execution TA0002

T1059.004Command and Scripting Interpreter: Unix Shell×1

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Evidence: 2026-07-11/friendly-fire-prompt-injection-rce-defensive-ai-agents · ATT&CK page ↗

T1204.002User Execution: Malicious File×1

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Evidence: 2026-07-11/friendly-fire-prompt-injection-rce-defensive-ai-agents · ATT&CK page ↗

Story timeline

  1. 2026-07-11'Friendly Fire': prompt injection hijacks AI coding agents' defensive auto-review into remote code execution
    researchAI Now Institute PoC turns an untrusted library's own files into RCE when Claude Code or Codex CLI review it in auto-mode — no hooks or config needed

Where this entity is cited

  • research1

Source distribution

  • ainowinstitute.org1 (50%)
  • infosecurity-magazine.com1 (50%)

Related entities

Entries about Friendly Fire (AI Now Institute exploit) (1)

2026-07-11 · view entry permalink →

NOTABLENATOB2

'Friendly Fire': prompt injection hijacks AI coding agents' defensive auto-review into remote code execution

AI Now Institute researchers Boyan Milanov and Heidy Khlaaf published a proof-of-concept, "Friendly Fire," that achieves remote code execution against Anthropic's Claude Code CLI (auto-mode, with Sonnet 4.6, Sonnet 5 or Opus 4.8) and OpenAI's Codex CLI (auto-review, with GPT-5.5) when either is used for its advertised defensive purpose — reviewing the security of an untrusted open-source or third-party library (AI Now Institute, 2026-07-08). The attack needs only an out-of-the-box configuration: no custom hooks, skills, plugins, MCP servers, or machine-configuration files as an injection vector. The chain is two layers of prompt injection carried entirely inside the reviewed repository's own files. The first layer makes a malicious binary look safe: alongside the binary (code_policies) the attacker ships a decoy Go source file (code_policies.go) implementing a legitimate-looking static checker, and embeds matching string constants in the binary so the agent's own disassembly-inspection step associates the two and clears it. The second layer, placed in README.md — deliberately, because README is not an enforceable machine-config file and needs no user approval — references a bundled security.sh "security checker" in innocuous language, leading the agent to run the script, which launches the binary (AI Now Institute, 2026-07-08; Infosecurity Magazine, 2026-07-10).

The researchers demonstrated the technique against a modified copy of the geopy Python library and report it transfers to other libraries and to Codex without modification, mapping it onto two realistic threat models: malicious library maintainers embedding instructions in their own code, and supply-chain compromise of upstream packages (they cite recent GitHub-repo-poisoning and PyTorch Lightning incidents), the latter especially dangerous where CI/CD auto-updates dependencies and then hands them to a defensive agent to review. They explicitly reject sandboxing as a sufficient mitigation, arguing an in-sandbox RCE can be used to attempt escape and citing sandbox-escape CVEs against Claude Code itself.

Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector.

When Claude Code or Codex proceed to analyze the source code, the prompt injections steer each respective agent to presume that the malicious binary is necessary to perform the security review, thereby executing the binary and failing to detect it as harmful.

AI Now Institute 2026-07-08

Builds on: 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary

research11 Jul 04:30Zmulti-sourceOpen finding ↗