FB Pixel

The agents you use to beef up cybersecurity could be turned against you – ‘Friendly Fire’ attacks can manipulate OpenAI and Anthropic models into running malicious code


A proof-of-concept by the AI Now Institute demonstrates remote code execution in Anthropic’s Claude Code and OpenAI’s Codex when they’re running in an autonomous mode that approves their own commands.

The Friendly Fire attack works against an out-of-the-box configuration of Claude Code in ‘auto-mode’ or Codex in ‘auto-review’, with researchers testing Claude Sonnet 4.6, Sonnet 5, and Opus 4.8 along with GPT-5.5.

It leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense – without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector.

Researchers noted the study highlights the potential risks associated with rapid adoption of AI-powered security tools.

Latest Videos From

Many organizations are doing so without “consideration of the substantial and unmitigated risks associated” with the technology.

AI-related cybersecurity concerns have been rising following the launch of powerful new models such as Claude Mythos. Anthropic rolled the model out as part of a gated release to prevent misuse, and US authorities temporarily imposed export controls amidst similar concerns.

How the Friendly Fire attack works

The attack works by inserting prompt injections into documentation files and adding README files that appear to be part of routine security tooling in an open source library.

Researchers used geopy, a popular Python used for searching for geographic coordinates, but said it could work with almost any project.

When a user asks Claude Code or Codex to perform a security assessment of the repository using the default auto-mode or auto-review automated modes, the agent can be persuaded to execute a malicious binary without any warning and without requesting any further user approval.

The proof of concept is causing alarm amongst security professionals. Roey Eliyahu, CEO and co-founder of Salt Security, said this marks the latest in a string of potential risks in recent months due to manipulation of agents.

“Friendly Fire, GitLost, Agentjacking, TrustFall. Four documented attacks in the past two months, different techniques, same underlying condition,” he said.

“Untrusted text reaches an agent that can run commands. The agent cannot reliably tell the difference between the code it is reviewing and the instructions it is being given. And the attacker’s payload executes on the host.”

Eliyahu emphasized that this is not a “model problem that can be patched”. All four models were vulnerable to the same techniques and payload, without any modifications for each.

“When the same attack works unchanged across two vendors and four model generations, you are not looking at a software bug. You are looking at a structural property of how these agents work.”

But, said Eljan Mahammadli, head of AI provenance at Polygraf AI, this shouldn’t rule out the use of AI for defensive security work.

ITPro approached Anthropic and OpenAI for comment, but did not receive a response by time of publication.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.



Source link

You might also like
MyTechExpertise
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.