Friendly Fire: When the AI You Hired to Find Malware Runs It Instead
AI Now Institute discovered that Claude Code in auto-mode and Codex in auto-review will execute malicious code during security audits — the very task they were deployed to prevent. The attack requires zero hooks, zero plugins, zero MCP servers. Just prompt injections in source code. Combined with GhostApproval, every security layer in AI coding assistants is now bypassable.
On July 8, 2026, two independent security disclosures landed within hours of each other. Wiz published GhostApproval — symlinks bypass the approval dialog. AI Now Institute published Friendly Fire — prompt injections bypass the AI’s own safety judgment. Between them, they defeated every security mechanism AI coding assistants have.
GhostApproval got the dedicated writeup it deserved. Friendly Fire got folded into a weekly roundup. That undersells it. This attack is fundamentally different — and more dangerous — because it doesn’t just trick the UI. It tricks the model itself into becoming the attack vector.
The Two-Layer Security Model
Every AI coding assistant has two layers of security between an untrusted repository and your machine:
Layer 1 — The Approval Dialog: Before the agent edits a file or runs a command, it asks the developer. “Can I run npm install?” “Can I edit config.json?” The developer is supposed to be the gatekeeper. GhostApproval broke this by making the dialog lie about what file it was writing to.
Layer 2 — The Safety Classifier: For agents running in autonomous mode (Claude Code’s “auto-mode,” Codex’s “auto-review”), there’s a second layer. The agent itself judges whether a command is safe to run without asking a human. It uses a classifier trained to distinguish safe operations from dangerous ones. If the classifier says “safe,” the agent acts without human approval.
Friendly Fire breaks Layer 2. And it breaks it so completely that the AI’s security review process becomes the attack delivery mechanism.
How Friendly Fire Works
The AI Now Institute’s proof of concept is elegant in its simplicity. Here’s the attack:
-
An organization deploys an AI coding agent to review third-party code. This is becoming standard practice. You clone an open-source library, run Claude Code or Codex on it, and ask the agent: “Review this codebase for security vulnerabilities. Fix anything you find.”
-
The attacker embeds prompt injections throughout the library’s source code. Not in a configuration file. Not in a README. Not in a package.json. In the actual source files — comments, docstrings, variable names — scattered across the codebase like landmines.
-
No hooks, skills, plugins, or MCP servers required. The AI Now Institute tested this against out-of-the-box configurations of Claude Code CLI (Claude Sonnet 4.6/5, Opus 4.8) and OpenAI’s Codex CLI (GPT-5.5) (AI Now GitHub). No customization. No extensions. Default settings.
-
The agent reads the injected source files during its security review. The prompt injections don’t say “run this command.” That would get caught. They say things the agent interprets as security-relevant instructions — validate this, check that, verify something — and in the process of following those instructions, the agent downloads and executes attacker-controlled code.
-
The safety classifier approves every step. This is the critical failure. The commands the agent runs are, individually, safe-looking operations.
curlto download a file.unzipto extract it.pythonto run a test harness. Each step passes the classifier. The combined sequence is malicious — but no single step triggers an alarm (Grid the Grey).
The attacker never needed to bypass the classifier. The attack worked within the classifier’s safety envelope, assembling individually-safe operations into a malicious chain that only makes sense when you see the whole picture.
Why This Is Worse Than GhostApproval
GhostApproval requires the developer to approve a malicious action — the approval dialog just lies about what it’s approving. If you’re paying attention, if you read the dialog carefully, if you notice that docs/README.md is a symlink pointing at ~/.ssh/authorized_keys, you catch it.
Friendly Fire requires no human approval at all. The agent is in auto-mode. The classifier says “safe.” The developer isn’t in the loop. There’s no dialog to inspect. No symlink to notice. The agent silently evaluates, silently decides, and silently executes.
GhostApproval is a UI bug. Friendly Fire is an architectural failure.
The Irony Is the Point
The AI Now Institute named it Friendly Fire for a reason. These AI agents weren’t deployed to build software — they were deployed to audit software. They were the security layer. The organization said “we need to check this third-party code for vulnerabilities” and deployed an AI agent to do it. The agent found the injected code, processed it, and in trying to validate it, executed it.
The security tool became the attack vector.
This is the nightmare scenario for AI agent security: the tool you deployed to keep you safe is the tool that compromises you. And unlike GhostApproval, there’s no patch for this. The fundamental architecture of AI coding agents — reading untrusted input, executing commands based on that input, using a classifier that can’t understand multi-step attack chains — makes Friendly Fire inevitable.
The Affected Models
AI Now Institute confirmed exploitation against:
- Claude Code CLI with Claude Sonnet 4.6 — auto-mode (AI Now GitHub)
- Claude Code CLI with Claude Sonnet 5 — auto-mode
- Claude Code CLI with Claude Opus 4.8 — auto-mode
- OpenAI Codex CLI with GPT-5.5 — auto-review mode (AI Now GitHub)
The attack worked across frontier models from both major vendors. Model capability didn’t matter. The more capable the model was at understanding the injected security instructions, the more reliably it executed the attack chain.
What Makes Auto-Mode and Auto-Review Dangerous
Both Claude Code’s auto-mode and Codex’s auto-review use a classifier-based approach to decide when to act without human approval (Anthropic). The classifier categorizes each proposed action as “safe” or “unsafe.” Safe actions execute automatically. Unsafe actions pause for human review.
The problem isn’t that the classifier is bad at its job. It’s quite good at identifying dangerous individual operations. The problem is that no classifier operating on single actions can detect a multi-step attack chain where every individual step looks benign.
This is the same class of problem that plagued antivirus software in the 1990s — signature-based detection works against known threats but fails against novel attack chains. The AI Now Institute didn’t need a novel attack chain. They needed an attack where each step, viewed in isolation, looked like normal software development activity:
- “Download this test fixture” → curl (safe)
- “Extract the test data” → unzip (safe)
- “Run the validation suite” → python script (safe)
Three safe operations. One compromised machine.
The Vendor Responses
As of July 11, 2026:
Anthropic has not issued a public statement on Friendly Fire. They were notified by AI Now Institute before publication. Claude Code’s auto-mode remains the default for many users. The company’s security page does not mention prompt-injection-based attacks on the auto-mode classifier.
OpenAI has not issued a public statement on Friendly Fire. Codex’s auto-review mode remains available.
Both vendors face the same structural problem: the auto-mode/auto-review classifier operates on individual actions, and any attack that chains individually-safe actions into a malicious sequence bypasses it by design. There is no patch that fixes this within the current architecture. The fix would require the agent to maintain context across an entire session and evaluate the full action chain holistically — which is, in effect, asking the AI to perform the exact kind of adversarial reasoning that current models struggle with.
The Combined Impact: Zero Surviving Security Layers
Place GhostApproval and Friendly Fire side by side:
| Security Layer | Attack | Status |
|---|---|---|
| Human approval dialog | GhostApproval (symlink UI spoofing) | Broken in 5 of 6 assistants (Wiz) |
| AI safety classifier (auto-mode) | Friendly Fire (multi-step prompt injection) | Broken in Claude Code + Codex (AI Now) |
| Workspace isolation | GhostApproval (symlink traversal) | Broken in Augment, Windsurf (Wiz) |
| Human-in-the-loop (overall) | Both attacks combined | Defeated end-to-end |
Every security mechanism that AI coding assistant vendors have shipped — the approval dialog, the safety classifier, workspace isolation, human-in-the-loop — has now been demonstrated bypassable. Not theoretically. In working, published proof-of-concept exploits.
This isn’t a patch cycle. This is a paradigm failure.
What This Means for Teams Using AI Coding Assistants
If you’re using Claude Code or Codex to review third-party code — to audit dependencies, check open-source libraries, validate contractor deliverables — Friendly Fire means the agent you trust to find malicious code can be made to run it instead.
Some practical mitigations, in descending order of effectiveness:
-
Never run AI coding agents in auto-mode against untrusted code. If you’re reviewing code from outside your organization, disable auto-mode and require manual approval for every action. Yes, this slows you down. That’s the point.
-
Run security reviews against untrusted code in a sandboxed environment. A VM, a container with no network access, a machine with no access to internal resources. The agent can find bugs without being able to exploit them.
-
Audit the full action chain, not individual steps. Every security review should end with a human examining what the agent actually did — not just what it found, but what commands it ran, what files it touched, what network connections it made.
-
Assume prompt injection is present in any untrusted codebase. An attacker doesn’t need to hide a malicious binary in the code. They need to hide instructions that an AI agent will follow. Comment blocks, docstrings, variable names, error messages — any text an agent reads is a potential injection vector.
-
Don’t deploy AI agents as your only security review layer. This should be obvious after Friendly Fire, but it bears stating: an AI agent cannot be the sole reviewer of code you don’t trust. A human needs to be in the loop for the full review, not just for individual approvals.
What This Means for dotfm
Friendly Fire validates everything we’ve been saying for two weeks.
Automated tools can’t catch multi-step attack chains in AI-generated or AI-reviewed code. They can’t understand adversarial intent across scattered prompt injections. They can’t evaluate whether an AI agent’s security review was itself compromised.
This is the structural moat we identified in our six-layer landscape analysis. Layers 1-5 (static scanners, runtime sandboxes, runtime authorization, agent testing, AI-native security platforms) all operate on the same assumption: that the AI agent is trustworthy. That it reports honestly. That it can distinguish safe from unsafe.
Friendly Fire proves that assumption is false. Against an AI agent in auto-mode, no automated security layer can protect you — because the security layer is the AI agent, and the AI agent is the one being compromised.
Human-led audit is not a nice-to-have. It’s the only layer that survives.
The Bottom Line
GhostApproval showed that you can’t trust what the AI tells you it’s doing. Friendly Fire showed that you can’t trust the AI to decide for itself what’s safe to do. Together, they demonstrate that every security mechanism in AI coding assistants — the approval dialog, the safety classifier, the workspace boundary — is bypassable with techniques that are 40 years old (symlinks) and two years old (prompt injection).
The tools we deployed to keep us safe are now themselves the attack surface. And the vendors who built them are still arguing about whether this is even a bug.
If your team is using AI coding assistants in production and you’re wondering whether your security review process survives both GhostApproval and Friendly Fire, let’s talk. I audit AI agent workflows for exactly these failure modes.
Is your AI-built app ready for real users?
We audit, harden, and ship AI-built apps. From security review to production deployment.
Get an audit →