Friendly Fire: agents review the trap, then execute it
AI Now Institute researchers show autonomous Claude Code and Codex can be tricked into running a hidden binary during their own security-review pass.
There is a category of security research that keeps arriving at the same conclusion in a different costume. This week it is called Friendly Fire, a proof-of-concept from AI Now Institute researchers Boyan Milanov and Heidy Khlaaf that turns an autonomous coding agent’s own security-review pass into the thing that runs the attacker’s code.
The setup, as they describe it in the brief: an untrusted open-source library
containing a hidden binary disguised as a compiled Go file, and a README
suggesting the reader run a security.sh script as a routine check. Anthropic’s
Claude Code and OpenAI’s Codex — the versions listed are Claude Code 2.1.116,
2.1.196, 2.1.198 and 2.1.199, running on Sonnet 4.6, Sonnet 5 or Opus 4.8, and
Codex 0.142.4 on GPT-5.5 — are then asked to audit the repository. In
auto-approve mode, both do what the README says. Then they run the payload.
The Hacker News picked up the write-up on Wednesday.
The mechanical trick worth understanding — without reproducing it — is that the researchers seeded the malicious script with strings the agents’ own disassembly step recognises, so the agent’s review of the binary looks successful and the two artifacts appear to corroborate each other. It is not a bug in a parser. It is the agent being pointed at a review checklist that has been written by the thing it is reviewing, and grading it a pass.
Why this keeps happening
I said this arrives in a different costume each week and I meant it. In the last ten days on this beat alone, we have covered Wiz’s GhostApproval symlink bug, in which six agents including Claude Code showed a user one file path in the approval dialog while writing to another; Sophos’s telemetry showing coding agents behaviorally indistinguishable from post-exploitation tooling to endpoint detection rules; the HalluSquatting work weaponising the fake package names AI assistants keep confidently importing; and HKUST’s SkillCloak demonstrating that the static scanners meant to guard agent skill marketplaces miss almost everything. The vulnerabilities differ. The underlying condition does not: an autonomous system is being handed input by someone who wants it to do something, and the guardrails that were meant to catch that are downstream of the same input.
This is not a novel category. It is the substrate that ran under macro
viruses in Word, under .desktop-file exploits on Linux, under Office
attachments that came back from the dead every five years. What is new is
the trust boundary. Word never claimed to review the document before running
the macro. The whole premise of an autonomous agent is that it does. Friendly
Fire is what happens when the review is convinced by the material under
review, which is a much older problem than any of the model versions listed
in the brief.
What the research actually establishes
Two things, cleanly, and worth reading in that order.
One: auto-approve modes on current-generation coding agents cannot independently distinguish a plausible-looking security check from a script designed to be recognised as one. That is a claim about the boundary between review and execution when both live inside the same agent process, not a claim about any specific model being uniquely weak.
Two: the research sits outside both companies’ formal disclosure programs. Milanov and Khlaaf told Anthropic and OpenAI; there is no CVE, no coordinated patch date, no PSIRT thread. The brief notes the AI Now team also referenced Claude Code’s earlier sandbox flaw CVE-2026-39861, which sat inside a formal channel and was fixed. Friendly Fire, by their framing, does not — the vendors do not treat “the agent should not trust an untrusted repo’s suggested workflow” as a security bug, because in some sense the agent was doing what it was asked. That is a policy problem more than a code problem.
The payload-stripped PoC is on GitHub for readers who want the full technical brief; there is no in-the-wild exploitation reported.
What to do about it, if anything
For operators running these agents against untrusted code — which, if you
work in software, is nearly all code you did not write yourself — the
practical implication is narrow and old-fashioned. Auto-approve modes on
coding agents should not be run against repositories you would not run
make install on unattended. That is the same rule that has always
applied to build systems, and to browser plug-ins, and to Word macros, and
to every generation of tool that offered to save you the trouble of
reading before you executed. The costume changed. The rule did not.
Whether the vendors treat Friendly Fire as a bug or as a documented limitation of a mode users opted into is now the interesting question, and it is downstream of a broader one the industry has been avoiding: whether “autonomous” and “reviews its own inputs” can honestly coexist. AI Now’s answer, as of this week, is that they cannot — not against an adversary who has read the review pass and written to it. That answer may improve. It has not yet.
Found this useful? Share it.


