Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1810+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It
AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It
NEWS

AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It

Researchers at the AI Now Institute have demonstrated a 'Friendly Fire' attack that tricks AI coding agents — including Claude Code, Gemini CLI, and OpenAI Codex — into executing the very malicious code they were scanning for.

Dylan H.

News Desk

July 9, 2026
3 min read

A new proof-of-concept attack called "Friendly Fire" demonstrates a troubling vulnerability in AI-powered security tools: when asked to scan open-source packages for malicious code, popular AI coding agents can be manipulated into executing the attacker's payload on the analyst's own machine.

The research, published by the AI Now Institute, targets AI coding assistants that have been repurposed as security scanning tools — a common practice among developers looking to leverage large language models for automated code review.

How Friendly Fire Works

The attack is a variant of prompt injection, but with a particularly dangerous twist. When a developer instructs an AI agent to review a potentially malicious package, the attacker embeds hidden instructions within the code or documentation of that package. These instructions hijack the AI's reasoning, redirecting it from "analyze this code" to "execute this code."

The attack chain works as follows:

  1. Attacker publishes a malicious package to npm, PyPI, or another registry
  2. Hidden prompt injection is embedded in comments, README files, or code strings
  3. Developer asks an AI agent to scan the package for threats
  4. The AI agent reads the injected instructions and interprets them as legitimate task directives
  5. The agent executes the malicious payload — on the developer's machine, with the developer's permissions

Affected Agents

The researchers confirmed the attack works against several leading AI coding agents:

  • Anthropic Claude Code — CLI-based agent for coding tasks
  • Google Gemini CLI — command-line AI assistant
  • OpenAI Codex / ChatGPT with code interpreter

The vulnerability stems from a fundamental challenge in agentic AI: agents with tool-use capabilities (file system access, shell execution, network calls) cannot reliably distinguish between instructions from their authorized user and instructions embedded in the content they are analyzing.

Why This Is Significant

Traditional static analysis tools read code — they do not execute it in response to instructions embedded within it. AI agents blur this line. When an agent has both the ability to read code and the ability to run shell commands, a sufficiently crafted prompt can bridge the two.

This attack is especially dangerous in CI/CD pipelines and automated security workflows where:

  • Agents run with elevated permissions
  • There is minimal human oversight of individual tool calls
  • The output of one AI agent feeds into the next

Mitigations

Until AI agent frameworks implement stronger sandboxing and instruction-source validation, security teams should:

  1. Never run AI agents with shell execution capabilities against untrusted code without strict sandboxing (e.g., Docker containers with no network access)
  2. Treat AI security scans as advisory — not as a substitute for deterministic static analysis tools
  3. Audit agent tool call logs to detect unexpected command execution
  4. Apply the principle of least privilege — agents should not have write or execute permissions unless absolutely necessary
  5. Use separate environments — scan suspicious packages in isolated VMs, not developer workstations

The Broader Implication

Friendly Fire exposes a category of risk that will grow as AI agents take on more autonomous roles in software development and security operations. The same capabilities that make these agents powerful — reading files, running commands, accessing APIs — make them dangerous when their inputs can be manipulated.

As AI-assisted security tooling matures, the industry will need formal standards for agent sandboxing, instruction provenance verification, and human-in-the-loop checkpoints for high-risk operations.

For now: scan untrusted code the old-fashioned way before letting an AI agent anywhere near it.

#AI Security#Prompt Injection#Claude Code#Supply Chain#Zero Day

Related Articles

Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks

Security researchers have found that classic Bash shell techniques — some dating back decades — can bypass the safeguards in most open-source AI coding...

5 min read

OpenClaw AI Agent Flaws Enable Prompt Injection, 1-Click

China's CNCERT has warned that OpenClaw (formerly Clawdbot/Moltbot), the viral self-hosted AI agent, carries over 250 disclosed vulnerabilities including...

6 min read

What Changes When AI Writes Your Code: Supply Chain Security in the Age of LLMs

Software supply chain security was already complex. Now that AI coding assistants are writing production code, security teams face new questions about provenance, SBOM coverage, and trust boundaries.

5 min read
Back to all News