Friendly Fire: autonomous AI code-review modes can execute attacker-controlled repository code
Technical Analysis
Summary
Hide ▲
Show ▼
Friendly Fire shows that autonomous code-review modes in Claude Code and OpenAI Codex can be manipulated into executing attacker-controlled code on the host. The proof-of-concept abuses a normal repository review flow, using a seemingly routine README.md-driven security check to launch a hidden binary. The result is host command execution without a warning or approval prompt when the agent is allowed to approve its own commands.
Timeline
-
09.07.2026 08:15 1 articles · 18h ago
AI Now Institute publishes Friendly Fire proof-of-concept for autonomous AI code review
Initial DisclosureAI Now Institute published the Friendly Fire proof-of-concept showing that Anthropic's Claude Code and OpenAI Codex, when run in autonomous modes that approve their own commands, can be induced to execute a hidden binary while reviewing untrusted code. The demo used geopy, a README.md prompt to run security.sh, and worked across Claude Code CLI 2.1.116, 2.1.196, 2.1.198, 2.1.199 and OpenAI Codex CLI 0.142.4 on GPT-5.5 and Claude Sonnet 4.6, Sonnet 5, and Opus 4.8.
Show sources
- Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It — thehackernews.com — 09.07.2026 08:15