Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers demonstrated a proof-of-concept exploit that can force remote code execution in Anthropic’s Claude Code and OpenAI’s Codex, exposing a trust-boundary flaw in AI coding agents. The attack uses multi-stage prompt injection inside an untrusted repository to make attacker text look like normal task context. In auto-mode/auto-review, the agents can be pushed to run a supposed security.sh workflow that actually launches hidden code. The result is silent execution on a victim machine during a defensive scan.
Related Happenings
Friendly Fire: autonomous AI code-review modes can execute attacker-controlled repository code
Technical Analysis
H score28
First: 09.07.2026 08:15
Last: 09.07.2026 08:15
Sources 1
About this happening:
**Friendly Fire** shows that autonomous code-review modes in **Claude Code** and **OpenAI Codex** can be manipulated into **executing attacker-controlled code** on the host. The p...
Friendly Fire: autonomous AI code-review modes can execute attacker-controlled repository code
Technical AnalysisAbout this happening: **Friendly Fire** shows that autonomous code-review modes in **Claude Code** and **OpenAI Codex** can be manipulated into **executing attacker-controlled code** on the host. The p...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive Guidance
H score28
First: 08.07.2026 20:02
Last: 08.07.2026 20:02
Sources 1
About this happening:
AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive GuidanceAbout this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical Analysis
H score3
First: 08.07.2026 18:07
Last: 08.07.2026 18:07
Sources 1
About this happening:
Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical AnalysisAbout this happening: Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical Analysis
H score22
First: 06.07.2026 09:33
Last: 06.07.2026 09:33
Sources 1
About this happening:
**SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical AnalysisAbout this happening: **SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...
GuardFall shell-trick bypass of command safety checks in AI coding agents
Technical Analysis
H score25
First: 30.06.2026 17:26
Last: 30.06.2026 17:26
Sources 1
About this happening:
**GuardFall** exposed a shell-trick bypass that lets dangerous commands slip past safety checks in **open-source AI coding and computer-use agents**, putting **full account access...
GuardFall shell-trick bypass of command safety checks in AI coding agents
Technical AnalysisAbout this happening: **GuardFall** exposed a shell-trick bypass that lets dangerous commands slip past safety checks in **open-source AI coding and computer-use agents**, putting **full account access...
Timeline
-
10.07.2026 16:45 2 articles · 2h ago
AI Now Institute demonstrates prompt-injection remote code execution in Claude Code and Codex
Initial DisclosureAI Now Institute researchers Heidy Khlaaf and Boyan Milanov published a July 8 proof-of-concept showing that multi-stage prompt injection hidden in a third-party open-source repository can steer Anthropic’s Claude Code and OpenAI’s Codex into running attacker-controlled commands on a victim machine. The exploit affects Claude Code with Claude Sonnet 4.6 and 5 and Opus 4.8, and Codex with GPT-5.5, by abusing auto-mode or auto-review to treat a malicious security.sh workflow as routine and launch a hidden code_policies binary, resulting in silent remote code execution.
Show sources
- Anthropic and OpenAI Security Tools Could Fuel Cyber-Attacks, Researchers Warn — www.infosecurity-magazine.com — 10.07.2026 16:45
- Anthropic and OpenAI Security Tools Could Fuel Cyber-Attacks, Researchers Warn — www.infosecurity-magazine.com — 10.07.2026 16:45