AI Code-Scan Agents Tricked Into Running Attacker Code

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- AI Now Institute researchers Boyan Milanov and Heidy Khlaaf published a "Friendly Fire" proof-of-concept showing Claude Code and OpenAI Codex in autonomous modes can be hijacked to run attacker payloads instead of detecting them.
- The same payload worked unchanged across four models — Claude Sonnet 4.6 (which wrote it), Sonnet 5, Opus 4.8, and GPT-5.5 — and AI Now argues no model update can fix it because the models still cannot reliably tell code from instructions.
- The attack hides in an ordinary README.md bait note ("run security.sh before opening a PR"), sidestepping the three config-file injection patches Anthropic has shipped in the past six months and avoiding the "trust this folder" prompt.
- The malicious binary was disguised as the compiled build of a benign Go file sitting beside it and seeded with strings from that file, so Claude Code's disassembly check tied the two together; in some runs, newer models noticed the mismatch and ran it anyway.
- Both Anthropic and OpenAI were notified, though AI Now notes the work sits outside both companies' formal disclosure programs; AI Now also flagged the findings to policymakers, citing a June US executive order pushing agents into defensive security roles.
- The PoC is bounded to command-capable agents reviewing untrusted code in auto-modes, with no reported exploitation in the wild and the public GitHub repo's payload stripped — but sandboxes aren't airtight, and Claude Code's own sandbox had escape bugs this year including symlink flaw CVE-2026-39861.
Why it matters: For teams that adopted Claude Code or Codex specifically to vet third-party open-source code, the AI Now finding inverts the value proposition: the agent meant to scan for threats becomes the delivery vehicle, and AI Now says the fix is a workflow change, not a patch. With a June US executive order already pushing these same agents into defensive security work, a design-level gap now sits between policy ambition and the tools being deployed.




