AI coding agents designed to identify malicious code can be manipulated into executing that same code on the user's system. Researchers at the AI Now Institute demonstrated this vulnerability in a proof-of-concept attack called "Friendly Fire," which successfully compromised Anthropic's Claude Code and OpenAI's Codex when both operated in autonomous execution modes.

The attack exploits a fundamental weakness in how these agents evaluate and handle untrusted code. When scanning open-source repositories for security vulnerabilities, the agents can be tricked through carefully crafted prompts or obfuscated code patterns into believing malicious code is legitimate. The agent then approves and executes the code it was supposed to analyze, giving attackers direct access to the user's machine.

This represents a critical failure in the security assumptions underlying autonomous AI agents. Organizations deploying these tools to scan dependencies or review code now face an inverted risk. The agent meant to protect against supply chain attacks becomes a vector for those same attacks.

Claude Code and Codex are widely adopted in development workflows. Codex powers GitHub Copilot's code completion features, while Claude Code enables code execution within Anthropic's Claude assistant. Both tools appeal to developers precisely because they can autonomously identify and fix security issues. The Friendly Fire attack exposes the dangers of that autonomy when threat actors control the input.

The AI Now Institute's findings come at a time when enterprise adoption of AI coding assistants accelerates. Development teams using these tools to scan third-party packages or audit unfamiliar codebases now must assume that autonomous approval and execution modes carry unacceptable risk until the vendors address the vulnerability.

Anthropic and OpenAI have not yet disclosed patches or mitigations. Users currently relying on autonomous execution should disable that functionality immediately and require manual review of any code before it runs. Organizations integrating these agents into CI/