AI Coding Agents Turned Into Attack Vectors: New Research Reveals How Malicious Code Can Trick Claude Code and Codex Into Running Attacker Payloads + Video

Listen to this Post

Featured ImageIntroduction: When Security Tools Become the Doorway for Attackers

Artificial intelligence coding agents are rapidly becoming essential tools for developers, security researchers, and engineering teams. They promise to review code, identify vulnerabilities, automate testing, and reduce the workload of human programmers. But a new security research report has exposed a dangerous weakness at the heart of this emerging technology: the same AI agents designed to detect malicious code can potentially become the mechanism that executes it.

The AI Now Institute has published a proof-of-concept attack named “Friendly Fire”, demonstrating how autonomous AI coding agents can be manipulated into running attacker-controlled code while performing security reviews of open-source projects. The research focuses on autonomous modes in Claude Code and OpenAI Codex, showing that when these systems are allowed to approve their own commands, a carefully prepared repository can turn the AI assistant into an unintended execution engine.

The discovery highlights a growing challenge in the AI security landscape: modern AI agents do not only read information, they act on it. When instructions, documentation, and source code become mixed together, attackers can exploit the confusion between trusted commands and untrusted content.

Friendly Fire Attack: How AI Agents Can Be Manipulated Into Executing Malware

The Core Discovery Behind the Research

Researchers Boyan Milanov and Heidy Khlaaf investigated how autonomous coding assistants behave when asked to analyze unknown third-party repositories. Their goal was to understand whether AI agents could safely inspect potentially dangerous open-source projects.

The results revealed a troubling scenario. Instead of identifying malicious behavior, the AI agent could be persuaded to execute the attacker’s code directly on the developer’s machine.

The attack does not rely on exploiting a traditional software vulnerability. Instead, it targets the decision-making process of AI agents themselves.

The weakness appears when developers enable autonomous features that allow the AI system to run commands it considers safe without asking for approval every time.

Tested AI Systems and Autonomous Modes

Claude Code and Codex Were Evaluated

The researchers tested two popular AI development environments:

Claude Code CLI versions 2.1.116, 2.1.196, 2.1.198, and 2.1.199 running with Claude Sonnet 4.6, Sonnet 5, and Opus 4.8 models.

OpenAI Codex CLI version 0.142.4 running with GPT-5.5.

The important factor was not a specific software version but the enabled automation workflow.

Claude Code’s autonomous mode and Codex’s auto-review functionality attempt to balance convenience and security. Instead of requiring approval for every command, they use internal safety classifiers to determine which actions appear harmless.

That creates a critical assumption: the AI must correctly understand whether the command is safe.

The Friendly Fire research demonstrates that attackers can exploit this assumption.

No Simple Patch Exists Because the Problem Is Architectural
Why Updating the Software May Not Solve the Problem

Unlike a normal vulnerability caused by a coding mistake, the researchers argue that Friendly Fire represents a deeper design challenge.

There is no vulnerable version range that developers can simply update away from.

The tested versions demonstrate the behavior, but the underlying issue comes from allowing AI agents to interpret untrusted project content while also having permission to execute commands.

The problem exists because AI agents are asked to perform two conflicting roles:

Analyze potentially dangerous content.

Take automated actions based on that analysis.

Those two responsibilities create a dangerous trust relationship.

The Malicious Repository Technique Behind Friendly Fire

How a README File Became the Attack Trigger

The proof-of-concept attack used a modified version of the popular Python library geopy.

The researchers added a fake security testing workflow inside the project documentation.

The README.md file contained instructions suggesting that developers should run a security script before submitting a pull request.

The example looked harmless:

“Running the security.sh security checker usually highlights important security issues.”

However, the script secretly launched a hidden binary containing the real payload.

The AI agent trusted the documentation because README files are normally treated as legitimate project information.

The attack succeeded because the malicious instructions were placed where developers and AI systems naturally expect guidance.

How Attackers Bypass AI Safety Checks

Disguising Malware as Legitimate Build Files

The researchers designed the malicious binary to appear like a harmless compiled version of a nearby Go source file.

To make the deception stronger, they included strings and metadata matching the legitimate source code.

This created the illusion that the binary was simply part of the project.

When the AI agent inspected the repository, nothing immediately appeared suspicious.

The malicious file was not directly imported or executed by the application itself. Instead, the AI assistant was convinced to launch it because the README instructed it to perform a security check.

This distinction is extremely important.

The vulnerability is not only about malicious code existing in a repository. It is about an AI agent deciding that external instructions are trustworthy enough to execute.

Why This Attack Is More Dangerous Than Earlier AI Injection Techniques

Moving Away From Configuration File Attacks

Previous AI agent attacks often targeted configuration files such as:

.mcp.json

.claude/settings.json

Those files usually trigger warnings because AI tools recognize them as sensitive configuration sources.

Friendly Fire takes a different approach.

README.md files exist in almost every open-source project. They are common, expected, and rarely treated as dangerous.

This makes the attack significantly harder to notice.

A developer may never suspect that ordinary documentation could contain instructions designed to compromise an AI assistant.

AI Models Failed Against Carefully Designed Deception

Newer Models Did Not Fully Solve the Problem

The researchers tested whether different AI models could detect the malicious behavior.

The same payload created for Claude Sonnet 4.6 also worked against:

Claude Sonnet 5

Claude Opus 4.8

GPT-5.5

In some cases, newer models noticed inconsistencies but still executed the suspicious binary.

This demonstrates a fundamental limitation.

AI systems are becoming better at understanding code, but understanding intent remains extremely difficult.

A model can recognize that something looks unusual while still deciding to follow the instructions that caused the danger.

The Growing Pattern of AI Agent Security Failures
Friendly Fire Is Part of a Larger Trend

The research follows several previous demonstrations showing that AI agents are vulnerable to malicious external instructions.

Earlier examples include repository-based attacks where attackers embedded hidden commands inside projects, fake bug reports, or documentation.

Security researchers have repeatedly warned that the biggest risk is not one specific file format.

The real issue is the combination of:

Untrusted external content.

Powerful AI reasoning.

Automatic command execution.

Whenever these three elements meet, attackers gain a new opportunity.

Deep Analysis: Securing AI Coding Agents With Practical Commands

Understanding the Threat Environment

AI-powered development tools require the same security discipline applied to servers, containers, and production systems.

Developers should assume that every external repository may contain hidden instructions.

A simple first step is reviewing suspicious project behavior:

git diff --stat
git status

Before allowing an AI agent to analyze a repository, inspect files that commonly contain instructions:

find . -name "README" -o -name ".md" -o -name ".sh"

Searching For Suspicious Execution Paths

Security teams can scan repositories for unexpected command execution:

grep -R "curl|wget|bash|chmod|exec" .

Binary files should also be reviewed:

find . -type f -exec file {} \; | grep executable

Unexpected binaries inside source repositories should always receive additional investigation.

Running AI Agents With Reduced Permissions

Avoid running autonomous AI agents directly on sensitive developer machines.

Use restricted environments:

docker run --rm -it --network none project-image

Check running processes during automated analysis:

ps aux

Monitor unexpected network activity:

netstat -tulpn

Protecting Secrets From AI Execution Environments

Never expose sensitive credentials during automated code reviews.

Review stored keys:

find ~ -name ".env" -o -name ".pem"

Check environment variables:

env | sort

AI agents should operate with minimal permissions.

A security review tool should not have access to:

SSH keys.

Cloud credentials.

Production databases.

Internal network resources.

What Undercode Say:

AI Agents Are Becoming New Targets For Supply Chain Attacks

The Friendly Fire research exposes a major shift in cybersecurity.

Attackers are no longer only targeting software vulnerabilities. They are targeting the decision-making layer between humans and machines.

AI coding assistants represent a new security boundary.

Traditional applications execute code based on programmed logic. AI agents execute actions based on interpretation.

That difference creates uncertainty.

A malicious package does not always need to exploit the operating system. It only needs to convince the AI assistant that the dangerous action is reasonable.

The biggest concern is automation.

Developers enabled autonomous modes because manually approving every command destroys productivity benefits.

Attackers understand this tradeoff.

The more useful AI agents become, the more attractive they become as targets.

Open-source ecosystems are especially vulnerable because millions of developers regularly clone repositories, read documentation, and run automated tools.

A README file was historically considered harmless.

That assumption is changing.

Documentation can now become an attack surface.

AI systems need stronger separation between information and instructions.

A repository description should be treated as data, not as a command source.

The future of AI security will require models that understand trust boundaries.

An AI agent should know the difference between:

“Here is information about this project.”

and:

“Execute this command immediately.”

Current systems still struggle with that distinction.

The industry must move toward safer architectures.

Possible solutions include:

Mandatory sandboxing.

Human approval for high-risk actions.

Separate AI analysis and execution environments.

Stronger repository reputation systems.

Continuous behavioral monitoring.

However, no single solution will eliminate the problem.

The fundamental challenge remains that AI agents are designed to interpret language.

Attackers specialize in manipulating language.

This creates a permanent security battle.

As AI agents become more autonomous, cybersecurity practices must evolve at the same speed.

The question is no longer whether AI can write code.

The question is whether AI can safely decide when code should run.

✅ The Friendly Fire research is based on a real proof-of-concept investigation targeting autonomous AI coding workflows.

✅ The tested attack focuses on AI agents executing commands from untrusted repository content rather than exploiting a traditional software bug.

❌ There are currently no confirmed reports showing widespread real-world exploitation of this exact Friendly Fire technique.

Prediction

(-1)

AI-powered development tools will likely face more repository-based attacks as adoption increases.

Autonomous coding assistants may become a major target for attackers seeking access to developer machines.

Security teams will probably reduce unrestricted AI execution permissions until stronger isolation technologies become standard.

Future AI coding platforms will need built-in sandboxing, trust scoring, and stronger human approval systems.

Final Analysis: The Future Battle Between AI Automation and Security
AI Agents Need Security Models Designed For Their New Role

Friendly Fire demonstrates that the biggest risk of AI coding assistants is not that they generate incorrect code.

The deeper concern is that they can misunderstand malicious intent and take action.

The next generation of cybersecurity will not only protect software from attackers.

It will protect AI systems from being manipulated into helping attackers.

The era of autonomous coding has arrived, but trust must be carefully engineered before machines are given more control.

▶️ Related Video (62% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube