Find notable cyber news and cases, enriched with sources, timelines, and signals.

Friendly Fire: autonomous AI code-review modes can execute attacker-controlled repository code

Technical Analysis
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Friendly Fire shows that autonomous code-review modes in Claude Code and OpenAI Codex can be manipulated into executing attacker-controlled code on the host. The proof-of-concept abuses a normal repository review flow, using a seemingly routine README.md-driven security check to launch a hidden binary. The result is host command execution without a warning or approval prompt when the agent is allowed to approve its own commands.

Timeline

  1. 09.07.2026 08:15 1 articles · 18h ago

    AI Now Institute publishes Friendly Fire proof-of-concept for autonomous AI code review

    Initial Disclosure

    AI Now Institute published the Friendly Fire proof-of-concept showing that Anthropic's Claude Code and OpenAI Codex, when run in autonomous modes that approve their own commands, can be induced to execute a hidden binary while reviewing untrusted code. The demo used geopy, a README.md prompt to run security.sh, and worked across Claude Code CLI 2.1.116, 2.1.196, 2.1.198, 2.1.199 and OpenAI Codex CLI 0.142.4 on GPT-5.5 and Claude Sonnet 4.6, Sonnet 5, and Opus 4.8.

    Show sources