Intelligence
highVulnerabilityEmerging

AI Code Analysis Agents Exploited to Execute Attacker Code via Prompt Injection

Researchers at AI Now Institute demonstrated a proof-of-concept attack called 'Friendly Fire' that tricks autonomous AI coding agents from Anthropic and OpenAI into executing malicious code whilst ostensibly scanning for vulnerabilities. The attack exploits the agents' self-approval mechanisms when operating without human oversight.

S
Sebastion

Affected

Anthropic Claude CodeOpenAI Codex

The 'Friendly Fire' attack exploits a fundamental trust assumption in autonomous AI coding agents: that code presented for security analysis is inherently benign. By embedding carefully crafted prompts or obfuscated payloads within open-source repositories or code submissions, attackers can manipulate Claude Code and Codex into executing arbitrary commands on the host system when these agents operate in autonomous mode without human approval gates.

The technical mechanism relies on the agents' natural language understanding being insufficient to distinguish between legitimate code review tasks and attacker-controlled instructions. When an agent is tasked with scanning for vulnerabilities, it may execute code as part of its analysis workflow, setting up environments, running test cases, or demonstrating proof-of-concept exploits. An attacker can craft malicious code that, when analysed, triggers execution of hidden payloads through comment-based instructions, conditional logic, or obfuscation patterns the agent's safety filters fail to catch.

This attack pattern is particularly dangerous because it inverts the typical security model: tools designed to protect codebases become vectors for compromise. Organisations deploying these agents for continuous security scanning of dependencies or pull request analysis could inadvertently grant remote code execution capabilities to threat actors who inject payloads into upstream dependencies or forked repositories. The attack is especially effective against agents operating in 'self-approval' mode, where the autonomous system makes decisions without requiring human review of its actions.

Defenders should immediately restrict autonomous mode deployment of AI coding agents to isolated, ephemeral environments with network segmentation and minimal filesystem permissions. Code analysis workflows should require human approval before any executable operations occur. Organisations using Claude Code or Codex should implement sandboxing, disable self-approval mechanisms, and monitor execution logs for suspicious pattern matches. Additionally, security teams should treat AI agent outputs with the same scrutiny as third-party code, never assume a tool's analysis implies safety.

The broader implication is that security automation itself has become an attack surface. As organisations increasingly delegate security operations to AI systems, adversaries will target these agents as high-value compromises: a single successful injection into a CI/CD pipeline running an autonomous agent could compromise hundreds of dependent systems. This demonstrates the critical importance of maintaining human-in-the-loop controls for any automated system with code execution privileges, regardless of its stated security purpose.