What happened
Attacker plants prompt injections across normal-looking files in a third-party library; victim's Claude Code or Codex CLI executes attacker-defined shell commands while scanning that library for vulnerabilities
2026-07-08
HighPrimaryAI Now Institute PoC (July 2026): prompt injections across third-party library files hijack Claude Code and Codex CLI security-review agents into executing attacker-controlled code. No plugins required.
What happened
Attacker plants prompt injections across normal-looking files in a third-party library; victim's Claude Code or Codex CLI executes attacker-defined shell commands while scanning that library for vulnerabilities
Why it matters
Arbitrary code execution on the developer's machine or CI runner with access to local credentials, environment variables, SSH keys, and any secrets reachable from the review session
Missing authorization check
A signed receipt attesting that the shell command or file write was authorized by the human operator — not synthesized from untrusted context inside a scanned codebase
Would PP block it?
PP's authorization chain sits outside the agent runtime. Every shell command and file mutation requires a receipt signed by the legitimate operator session. Injected instructions cannot forge that receipt, so the attacker's RCE payload would hit PP's Tool-Call Gate before execution. The gate requires out-of-band human approval that the attacker cannot satisfy. Model reasoning is still compromised — the agent may refuse legitimate follow-on tasks or leak information via its visible reasoning — but the consequential execution step is blocked.
Incident analysis
2026-06-02
White House executive order promotes AI-enabled defensive cyber tools; Anthropic's Project Glasswing positions Claude Code Security for open-source library vulnerability scanning.
2026-07-07
Adversa AI July 2026 security roundup flags prompt-injection-against-defensive-agents as a dominant emerging theme.
2026-07-08
AI Now Institute publishes 'Friendly Fire' exploit brief with PoC video demonstrating RCE against Claude Code (Sonnet 4.6, Claude 5, Opus 4.8) and Codex CLI (GPT-5.5); explicitly warns against AI-enabled defensive cyber mandates without addressing new attack surfaces.
2026-07-09
NxCode covers Friendly Fire alongside Varonis Rogue Agent disclosure; aiAuthZ arXiv paper and Unicode TAG-Block MCP concealment paper published as corroborating research.
2026-07-10
Story trending; no public patch or response from Anthropic or OpenAI at time of indexing.
Authorization boundary
This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
PP gates consequential tool calls (shell exec, file writes, network egress) behind signed receipts that the human operator must authorize. An attacker-injected payload cannot produce a valid PP receipt, so downstream destructive actions would stall at the enforcement point. However PP cannot prevent the model's reasoning from being hijacked — it only blocks unsigned consequential actions that emerge from that hijacking.
Related incidents and controls
Microsoft: Claude Code GitHub Action prompt injection exposed CI/CD secrets and evaded GitHub secret scanning
Invariant Labs: Malicious GitHub Issue Hijacked AI Assistant to Exfiltrate Private Repo Data via MCP Prompt Injection
OALABS Research: Captured Session Logs Show Hackers Using Claude Code as an Active C2 to Breach DeFi Platforms, Enumerate AWS Credentials, and Replicate Production Databases
IDEsaster: 30+ Vulnerabilities Across All Major AI IDEs Chain Prompt Injection to RCE via IDE Settings Overwrite
Start small
This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.