Skip to content
feed: live
>_ 0dayNews
threat intel
Analysis

Friendly Fire: agents review the trap, then execute it

AI Now Institute researchers show autonomous Claude Code and Codex can be tricked into running a hidden binary during their own security-review pass.

Friendly Fire: agents review the trap, then execute it
Image: 0dayNews / 0dayNews Editorial · All rights reserved
kilobaud Dave "Kilobaud" Ferris · Published · 3 min read

There is a category of security research that keeps arriving at the same conclusion in a different costume. This week it is called Friendly Fire, a proof-of-concept from AI Now Institute researchers Boyan Milanov and Heidy Khlaaf that turns an autonomous coding agent’s own security-review pass into the thing that runs the attacker’s code.

The setup, as they describe it in the brief: an untrusted open-source library containing a hidden binary disguised as a compiled Go file, and a README suggesting the reader run a security.sh script as a routine check. Anthropic’s Claude Code and OpenAI’s Codex — the versions listed are Claude Code 2.1.116, 2.1.196, 2.1.198 and 2.1.199, running on Sonnet 4.6, Sonnet 5 or Opus 4.8, and Codex 0.142.4 on GPT-5.5 — are then asked to audit the repository. In auto-approve mode, both do what the README says. Then they run the payload. The Hacker News picked up the write-up on Wednesday.

The mechanical trick worth understanding — without reproducing it — is that the researchers seeded the malicious script with strings the agents’ own disassembly step recognises, so the agent’s review of the binary looks successful and the two artifacts appear to corroborate each other. It is not a bug in a parser. It is the agent being pointed at a review checklist that has been written by the thing it is reviewing, and grading it a pass.

Why this keeps happening

I said this arrives in a different costume each week and I meant it. In the last ten days on this beat alone, we have covered Wiz’s GhostApproval symlink bug, in which six agents including Claude Code showed a user one file path in the approval dialog while writing to another; Sophos’s telemetry showing coding agents behaviorally indistinguishable from post-exploitation tooling to endpoint detection rules; the HalluSquatting work weaponising the fake package names AI assistants keep confidently importing; and HKUST’s SkillCloak demonstrating that the static scanners meant to guard agent skill marketplaces miss almost everything. The vulnerabilities differ. The underlying condition does not: an autonomous system is being handed input by someone who wants it to do something, and the guardrails that were meant to catch that are downstream of the same input.

This is not a novel category. It is the substrate that ran under macro viruses in Word, under .desktop-file exploits on Linux, under Office attachments that came back from the dead every five years. What is new is the trust boundary. Word never claimed to review the document before running the macro. The whole premise of an autonomous agent is that it does. Friendly Fire is what happens when the review is convinced by the material under review, which is a much older problem than any of the model versions listed in the brief.

What the research actually establishes

Two things, cleanly, and worth reading in that order.

One: auto-approve modes on current-generation coding agents cannot independently distinguish a plausible-looking security check from a script designed to be recognised as one. That is a claim about the boundary between review and execution when both live inside the same agent process, not a claim about any specific model being uniquely weak.

Two: the research sits outside both companies’ formal disclosure programs. Milanov and Khlaaf told Anthropic and OpenAI; there is no CVE, no coordinated patch date, no PSIRT thread. The brief notes the AI Now team also referenced Claude Code’s earlier sandbox flaw CVE-2026-39861, which sat inside a formal channel and was fixed. Friendly Fire, by their framing, does not — the vendors do not treat “the agent should not trust an untrusted repo’s suggested workflow” as a security bug, because in some sense the agent was doing what it was asked. That is a policy problem more than a code problem.

The payload-stripped PoC is on GitHub for readers who want the full technical brief; there is no in-the-wild exploitation reported.

What to do about it, if anything

For operators running these agents against untrusted code — which, if you work in software, is nearly all code you did not write yourself — the practical implication is narrow and old-fashioned. Auto-approve modes on coding agents should not be run against repositories you would not run make install on unattended. That is the same rule that has always applied to build systems, and to browser plug-ins, and to Word macros, and to every generation of tool that offered to save you the trouble of reading before you executed. The costume changed. The rule did not.

Whether the vendors treat Friendly Fire as a bug or as a documented limitation of a mode users opted into is now the interesting question, and it is downstream of a broader one the industry has been avoiding: whether “autonomous” and “reviews its own inputs” can honestly coexist. AI Now’s answer, as of this week, is that they cannot — not against an adversary who has read the review pass and written to it. That answer may improve. It has not yet.

Found this useful? Share it.