Friendly Fire Attack Hijacks Claude Code, Codex via README

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- AI Now Institute published a proof-of-concept attack called "Friendly Fire" on Wednesday showing that AI coding agents built to scan for vulnerabilities can be hijacked into running attacker code on the reviewer's own machine.
- Claude Code (CLI versions 2.1.116, 2.1.196, 2.1.198, 2.1.199) on Sonnet 4.6, Sonnet 5, or Opus 4.8, and OpenAI Codex (CLI 0.142.4) on GPT-5.5 are both vulnerable when run in their opt-in autonomous modes ("auto-mode" and "auto-review"), which use classifiers to approve commands the agent judges safe.
- The attack hides in a README.md note suggesting users run a "security.sh" script, which launches a hidden binary disguised as a compiled Go file; the researchers seeded it with strings from that adjacent file so Claude Code's disassembly check would tie the two together, sidestepping the three config-file patches Anthropic shipped in the past six months.
- A single payload written for Sonnet 4.6 worked unchanged on Sonnet 5, Opus 4.8, and GPT-5.5, and in some runs the newer models noticed the binary did not match its supposed source yet executed it anyway — grounding AI Now's claim that no model update can fix this.
- The demo used geopy, a widely used Python library, though the researchers say the technique ports to almost any project; when asked point-blank whether geopy contained hidden instructions, both Sonnet 4.6 and GPT-5.5 said no.
- Prior attacks establish the pattern is not new: Adversa's "TrustFall" turned booby-trapped repos into one-click execution across Claude Code, Cursor, Gemini CLI, and Copilot CLI in May, and Tenet's "Agentjacking" hit Claude Code and Cursor at an 85 percent rate via fake Sentry bug reports.
- AI Now is briefing policymakers as governments push AI agents into defensive security work via a June US executive order, and notes the researchers told Anthropic and OpenAI directly because the work sits outside both companies' formal disclosure programs.
- The recommendation is blunt: do not hand untrusted code to a command-capable agent, which undercuts the exact use case these tools were adopted for; the PoC stops at first execution with no privilege escalation or lateral movement, and there are no reported in-the-wild exploits.
Why it matters: The finding forces a hard tradeoff for any team using Claude Code or Codex to vet third-party code: the autonomous modes that make the agents useful are exactly the condition the attack exploits. AI Now's claim that no model update fixes this is grounded in the same payload working unchanged across four models with no modification, putting the burden on workflow changes rather than patches.




