PERMISSION/PROTOCOL
Back to incident tracker

2026-07-08

HighPrimary

AI Now Institute 'Friendly Fire': Prompt Injections in Third-Party Library Files Hijack Defensive Security-Review Agents for Remote Code Execution

AI Now Institute PoC (July 2026): prompt injections across third-party library files hijack Claude Code and Codex CLI security-review agents into executing attacker-controlled code. No plugins required.

Claude Code / OpenAI Codex CLITool execution / MCPRemote code execution via prompt injection in third-party codebaseDeveloper workstation or CI runner executing Claude Code or Codex CLI in auto-mode against an untrusted library

What happened

Attacker plants prompt injections across normal-looking files in a third-party library; victim's Claude Code or Codex CLI executes attacker-defined shell commands while scanning that library for vulnerabilities

Why it matters

Arbitrary code execution on the developer's machine or CI runner with access to local credentials, environment variables, SSH keys, and any secrets reachable from the review session

Missing authorization check

A signed receipt attesting that the shell command or file write was authorized by the human operator — not synthesized from untrusted context inside a scanned codebase

Would PP block it?

PP's authorization chain sits outside the agent runtime. Every shell command and file mutation requires a receipt signed by the legitimate operator session. Injected instructions cannot forge that receipt, so the attacker's RCE payload would hit PP's Tool-Call Gate before execution. The gate requires out-of-band human approval that the attacker cannot satisfy. Model reasoning is still compromised — the agent may refuse legitimate follow-on tasks or leak information via its visible reasoning — but the consequential execution step is blocked.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-06-02

    White House executive order promotes AI-enabled defensive cyber tools; Anthropic's Project Glasswing positions Claude Code Security for open-source library vulnerability scanning.

  2. 2026-07-07

    Adversa AI July 2026 security roundup flags prompt-injection-against-defensive-agents as a dominant emerging theme.

  3. 2026-07-08

    AI Now Institute publishes 'Friendly Fire' exploit brief with PoC video demonstrating RCE against Claude Code (Sonnet 4.6, Claude 5, Opus 4.8) and Codex CLI (GPT-5.5); explicitly warns against AI-enabled defensive cyber mandates without addressing new attack surfaces.

  4. 2026-07-09

    NxCode covers Friendly Fire alongside Varonis Rogue Agent disclosure; aiAuthZ arXiv paper and Unicode TAG-Block MCP concealment paper published as corroborating research.

  5. 2026-07-10

    Story trending; no public patch or response from Anthropic or OpenAI at time of indexing.

Technical breakdown

  • Prompt injections are distributed across multiple normal-looking source files (READMEs, code comments, config files, docstrings) in an attacker-controlled library — no single file looks suspicious.
  • Claude Code in auto-mode or Codex in auto-review reads these files as part of the security scan, placing hostile instructions directly into the model's active context window.
  • The injected instructions steer the agent to execute attacker-defined shell commands or write malicious files; from the agent's perspective these appear as legitimate review steps.
  • No special attack vector is needed — the exploit requires only the standard file-reading step in any security review workflow, making it applicable to any agentic platform that reads untrusted code.
  • AI Now Institute notes the attack is likely transferable to other agentic platforms and highlights a structural paradox: AI-enabled defensive tools create new attack surfaces proportional to their autonomy and access.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Tool-Call Gate (shell command execution, file writes, network calls, package installation)
Still needs
Model-internal reasoning hijack — PP cannot inspect the LLM's context window or prevent hostile instructions from influencing agent reasoning; it only gates externalized actions. Information leakage through the agent's visible output (printed reasoning, partial results) is also outside PP's scope.
Receipt required for
Shell command execution, file system writes, network egress, package manager invocations

PP gates consequential tool calls (shell exec, file writes, network egress) behind signed receipts that the human operator must authorize. An attacker-injected payload cannot produce a valid PP receipt, so downstream destructive actions would stall at the enforcement point. However PP cannot prevent the model's reasoning from being hijacked — it only blocks unsigned consequential actions that emerge from that hijacking.

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop