2026-07-11 · view entry permalink →
'Friendly Fire': prompt injection hijacks AI coding agents' defensive auto-review into remote code execution
AI Now Institute researchers Boyan Milanov and Heidy Khlaaf published a proof-of-concept, "Friendly Fire," that achieves remote code execution against Anthropic's Claude Code CLI (auto-mode, with Sonnet 4.6, Sonnet 5 or Opus 4.8) and OpenAI's Codex CLI (auto-review, with GPT-5.5) when either is used for its advertised defensive purpose — reviewing the security of an untrusted open-source or third-party library (AI Now Institute, 2026-07-08). The attack needs only an out-of-the-box configuration: no custom hooks, skills, plugins, MCP servers, or machine-configuration files as an injection vector. The chain is two layers of prompt injection carried entirely inside the reviewed repository's own files. The first layer makes a malicious binary look safe: alongside the binary (code_policies) the attacker ships a decoy Go source file (code_policies.go) implementing a legitimate-looking static checker, and embeds matching string constants in the binary so the agent's own disassembly-inspection step associates the two and clears it. The second layer, placed in README.md — deliberately, because README is not an enforceable machine-config file and needs no user approval — references a bundled security.sh "security checker" in innocuous language, leading the agent to run the script, which launches the binary (AI Now Institute, 2026-07-08; Infosecurity Magazine, 2026-07-10).
The researchers demonstrated the technique against a modified copy of the geopy Python library and report it transfers to other libraries and to Codex without modification, mapping it onto two realistic threat models: malicious library maintainers embedding instructions in their own code, and supply-chain compromise of upstream packages (they cite recent GitHub-repo-poisoning and PyTorch Lightning incidents), the latter especially dangerous where CI/CD auto-updates dependencies and then hands them to a defensive agent to review. They explicitly reject sandboxing as a sufficient mitigation, arguing an in-sandbox RCE can be used to attempt escape and citing sandbox-escape CVEs against Claude Code itself.
Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector.
When Claude Code or Codex proceed to analyze the source code, the prompt injections steer each respective agent to presume that the malicious binary is necessary to perform the security review, thereby executing the binary and failing to detect it as harmful.
Builds on: 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary