Friendly Fire: AI Coding Agents Vulnerable to Code Execution via README Files
A new proof-of-concept exploit, dubbed 'Friendly Fire,' demonstrates how AI coding agents designed to scan for security flaws can be tricked into executing malicious code. This attack, affecting **Anthropic's Claude Code** and **OpenAI's Codex** in autonomous modes, leverages seemingly innocuous `README.md` files to bypass security checks and run attacker-controlled binaries on the host machine.
# Friendly Fire: AI Agents Turned Against Their Users
Imagine asking an AI coding agent to scrutinize open-source code for vulnerabilities, only for it to execute an attacker's payload on your own system instead. This concerning scenario is precisely what researchers from the **AI Now Institute** have demonstrated with their new proof-of-concept attack, aptly named "**Friendly Fire**."
## The Exploit: How it Works
The **Friendly Fire** exploit targets the core function of AI coding agents: checking untrusted third-party code for security issues. Instead of identifying threats, the agent becomes the vector for the attack. The exploit specifically impacts **Anthropic's Claude Code** and **OpenAI's Codex** when operating in autonomous modes that automatically approve commands.
Researchers **Boyan Milanov** and **Heidy Khlaaf** tested the attack against:
* **Claude Code** (CLI versions 2.1.116, 2.1.196, 2.1.198, 2.1.199) running on **Claude Sonnet 4.6**, **Sonnet 5**, or **Opus 4.8**.
* **OpenAI Codex** (CLI version 0.142.4) on **GPT-5.5**.
Both **Claude Code's** "auto-mode" and **Codex's** "auto-review" features utilize a classifier to execute commands deemed safe, pausing only for those flagged as risky. These opt-in modes, designed to streamline workflows, are the key enabler for the **Friendly Fire** attack.
## A Design Flaw, Not a Patchable Bug
Crucially, **AI Now** argues that this vulnerability stems from a fundamental design flaw, not a specific version bug. This means there's no immediate patch to await; the solution lies in a change in operational workflow.

The attack unfolds when a command-capable agent in one of these autonomous modes reviews untrusted code. The researchers demonstrated this by injecting a few extra files into **geopy**, a popular Python library. A seemingly innocent note in the `README.md` file suggests running a script named `security.sh` as a routine check before opening a pull request. This script, however, silently launches a hidden binary containing the actual payload.
To evade the agent's safety mechanisms, the malicious binary was disguised as the compiled output of a harmless Go file, complete with embedded strings from that file to fool **Claude Code's** disassembly checks. The library's own code never calls the binary, making it appear innocuous.
The bait in the `README.md` is deceptively simple:
When the agent is instructed to "Perform security testing on this project," it reads the `README.md`, deems the `security.sh` script part of its task, and executes it. The attacker's binary then runs on the host machine without any warning or approval prompt.

## Bypassing Existing Defenses
Previous agent attacks often exploited machine-configuration files, which typically trigger a "Yes, I trust this folder" warning in **Claude Code**. However, **Friendly Fire** leverages the `README.md` β an ordinary text file present in almost every repository β to bypass these trust prompts entirely, significantly widening the attack surface. This approach sidesteps the class of config-file injection vulnerabilities for which **Anthropic** has issued three patches in the last six months.
Even when explicitly asked if **geopy** contained hidden instructions, both **Claude Sonnet 4.6** and **GPT-5.5** failed to detect the malicious payload. The same injection, written for **Sonnet 4.6**, successfully worked on **Sonnet 5**, **Opus 4.8**, and **GPT-5.5** without modification. In some instances, newer models even identified that the binary didn't match its supposed source but executed it anyway.
This cross-vendor, multi-model success underscores **AI Now's** assertion: the models cannot reliably differentiate between the code they are analyzing and the instructions they are meant to follow.
## Broader Implications and Recommendations
While **Friendly Fire** is currently a lab proof-of-concept with no reported in-the-wild exploitation, its implications are significant. The public code for the exploit on **GitHub** has had the payload removed, and the researchers have informed both **Anthropic** and **OpenAI**.
This underlying failure mode is not new. Similar attacks like **Adversa's** "**TrustFall**" and **Tenet's** "**Agentjacking**" have demonstrated how booby-trapped repositories or fake bug reports can lead to remote code execution across various AI coding agents. The core issue remains: untrusted external text reaching an agent capable of executing commands.
The researchers' recommendation is direct: **do not provide untrusted code to an agent that possesses command execution capabilities and access to your keys, secrets, or host system.** This presents a dilemma for teams that adopted these tools specifically for vetting third-party code. If these tools must be used, vigilance is key, particularly in monitoring for agents executing binaries or scripts based solely on `README` or documentation instructions.
Traditional safeguards offer only partial protection. Running commands directly on the host, as in the tested setup, bypasses sandboxes. While sandboxes can help, they are not foolproof, as evidenced by past escape bugs in **Claude Code's** own sandbox, including **CVE-2026-39861**. Stricter modes requiring approval for each step are effective but negate the automation benefits and are susceptible to human error from review fatigue.