Developers are increasingly using AI coding agents to review unfamiliar software for security problems.
Researchers have now demonstrated an attack that turns that workflow against the developer. By placing carefully written instructions and files inside a repository, an attacker can convince an AI security reviewer to execute a malicious program on the reviewer’s computer.
The proof of concept, called Friendly Fire, was published by the AI Now Institute on July 8. It affected Anthropic’s Claude Code and OpenAI’s Codex when their autonomous command-approval modes were enabled.
How the attack worked
The researchers modified a copy of an open-source project and asked the AI agent to inspect it for vulnerabilities.
Inside the repository, they placed three important components:
A malicious executable.
A harmless-looking source file that appeared to explain what the executable did.
Instructions inside the project’s README telling developers to run a security-checking script.
The README described the script as a normal security tool that should be run before opening a pull request. The script then launched the malicious executable.
The agents examined the repository, read the documentation, inspected the script, and found the decoy source file. Based on that context, they concluded that the security script was relevant to the review and safe to run.
The agents then executed the attacker’s program on the host computer.
The malicious program was not required by the project’s actual code. Its only purpose was to be discovered and executed by the AI reviewer.
Why the safety checks failed
AI coding agents process source code, documentation, comments, issue reports, configuration files, and terminal output as part of the same working context.
That creates a trust problem. A README can contain legitimate setup instructions, malicious instructions, or a mixture of both. The model has to decide what information is relevant and which commands are safe enough to execute.
In the Friendly Fire demonstration, the malicious instructions did not openly demand that the agent install malware. They presented the command as a reasonable step in a security review.
The researchers also gave the malicious executable a decoy source file. The agent inspected both and incorrectly concluded that the binary matched the harmless code.
The attack was initially developed for Claude Sonnet 4.6. The same payload also worked against Claude Sonnet 5, Claude Opus 4.8, and GPT-5.5 without additional changes.
The researchers tested Claude Code’s auto-mode and Codex’s auto-review mode. These settings allow a secondary classifier to approve commands that appear safe instead of asking the user before every action.
The attack depends on that authority. An agent that can read untrusted content and execute commands has everything required to turn malicious text into activity on the host system.
This problem extends beyond README files
A separate July 2026 research paper described a related class of attacks called agent data injection.
The researchers showed that attacker-controlled content could be formatted to resemble trusted information inside an agent’s context. In one example, a malicious product review caused a browser agent to confuse a fake “Read More” button with a real “Buy Now” button and click the purchase button.
The paper reported vulnerabilities affecting web agents and coding agents, including Claude in Chrome, Claude Code, Codex, Gemini CLI, Antigravity, and Nanobrowser. The paper is a research preprint, so its findings should be treated as newly published research rather than a finalized industry standard.
Both pieces of research point to the same practical risk: external content can influence an agent that has permission to take real actions.
How developers should use coding agents
Do not allow an AI agent to autonomously execute commands while reviewing an unfamiliar repository.
Clone untrusted projects into a disposable virtual machine or isolated development environment. That environment should contain no personal files, browser sessions, SSH keys, cryptocurrency wallets, password-manager data, production credentials, cloud tokens, or access to internal systems.
Avoid mounting your home directory inside the environment. A container with broad access to the host filesystem provides little protection if the agent executes a malicious program.
Restrict outbound network access when the review does not require it. Malware that cannot reach an attacker’s server has fewer options for downloading additional tools or sending stolen information.
Review every script before allowing the agent to run it. Pay particular attention to commands referenced in:
README files
Installation instructions
Build scripts
Package scripts
GitHub issues
Pull-request comments
Test commands
Files claiming to perform security checks
Do not rely on the agent to determine whether a prompt injection is present. In the Friendly Fire experiment, the researchers directly asked the models whether the repository contained prompt injection attempts. The tested models failed to identify them.
Organizations should separate AI review environments from developer workstations and production systems. Agent activity should be logged, command execution should require explicit policy approval, and secrets should be unavailable unless a task specifically needs them.
A sandbox reduces the damage an attack can cause, but it should be combined with limited permissions, restricted networking, disposable environments, and human review.
The useful takeaway
An AI agent reviewing hostile code is interacting with an attacker.
Treat every file, comment, instruction, and script inside an unfamiliar repository as untrusted input. Give the agent access only to an environment you can afford to lose.
