← Back to blog

AI Coding Agents Can Be Tricked Into Executing Malicious Code

Security researchers demonstrate how AI agents designed to detect vulnerabilities can be manipulated into running malicious code. The 'Friendly Fire' attack targets autonomous AI systems like Claude Code and Codex.

TL;DR

  • AI Now Institute reveals 'Friendly Fire' attack exploiting autonomous AI coding agents
  • Targets Anthropic's Claude Code and OpenAI's Codex when running in self-approving mode
  • Attack tricks AI systems into executing malicious code while scanning for vulnerabilities
  • Demonstrates critical security risks in AI-assisted code review processes
  • Highlights need for human oversight in autonomous AI security tools

Artificial intelligence systems designed to help developers identify security vulnerabilities in code can ironically be tricked into executing malicious code themselves. This counterintuitive risk has been demonstrated by researchers at the AI Now Institute through a novel attack vector they've dubbed "Friendly Fire."

The proof-of-concept attack specifically targets autonomous AI coding agents, including Anthropic's Claude Code and OpenAI's Codex, when these systems are configured to operate without human intervention. Rather than simply identifying potential security flaws, these compromised AI agents can be manipulated into actually running the very malicious code they were meant to detect.

How the Attack Works

  • The 'Friendly Fire' attack exploits AI coding agents when they operate in autonomous mode with self-approval capabilities
  • Attackers can craft malicious code that appears legitimate to the AI system during security scanning
  • The AI agent mistakenly executes the harmful code while attempting to analyze it for vulnerabilities
  • The attack specifically targets popular AI coding assistants like Claude Code and Codex
  • Proof-of-concept was demonstrated by AI Now Institute researchers

Implications for Software Security

  • Highlights critical risks in fully autonomous AI security tools without proper safeguards
  • Demonstrates that AI systems can become attack vectors themselves rather than just defensive tools
  • Shows the importance of maintaining human oversight in AI-assisted code review processes
  • Raises questions about the security assumptions underlying current AI coding agent implementations
  • Suggests need for improved isolation and sandboxing of AI systems during code analysis

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

AI Coding Agents Can Be Tricked Into Executing Malicious Code — Agent Breach Blog | Agent Breach