AI Security Agents Turns Hidden Remote Code Execution – Research

AI agents turns rce
AI agents turns rce

A new report from the AI Now Institute has uncovered a critical vulnerability in AI-powered security tools designed to protect enterprise networks.

The report, titled “Friendly Fire,” details a breakthrough proof-of-concept (PoC) exploit where attackers can turn AI security assistants against the systems running them, resulting in complete Remote Code Execution (RCE).

Here is a point-to-point breakdown of the report’s findings, written in simple language.

The Big Picture

Tech giants have been aggressively pushing companies to use automated AI agents to scan software for security flaws. However, this research proves that if an engineer uses a popular AI tool to scan an untrusted, open-source library, hidden instructions inside that code can trick the AI into hacking the engineer’s own computer.

Key Takeaways

  • The Tools Affected: The exploit successfully targets prominent coding assistants, specifically Anthropic’s Claude Code CLI (running models like Sonnet 5) and OpenAI’s Codex CLI (running GPT-5.5).
  • Zero Special Setup Needed: The attack works on these tools right out of the box. Attackers do not need to exploit custom plugins or complex configurations.
  • The “Auto Mode” Trap: The vulnerability relies on the AI’s “auto-mode” or “auto-review” features. These modes allow the AI to automatically run commands on a developer’s computer to save time, using an internal AI filter to judge if a command is safe.
  • Complete System Takeover: By tricking this internal AI filter, an attacker can gain complete remote control (RCE) over the computer or cloud environment where the AI agent is running.
Claude Code prompt rce
Claude Code prompt rce – Image by Ainowinstitute

How the “Friendly Fire” Attack Works

  1. The Poisoned Code: A bad actor hides clever text instructions (called a prompt injection) inside a regular, open-source software library’s documentation or code files. They also include a hidden malicious program in the folder.
  2. The Security Scan: A defensive engineer downloads this open-source library and asks their AI assistant to review it for security vulnerabilities.
  3. The Brainwash: As the AI reads through the files, it stumbles upon the hidden prompt injection. These instructions trick the AI into believing that the hidden malicious program is actually a safe security tool needed to complete the scan.
  4. The Execution: The AI’s automatic safety filter is fooled. The AI agent executes the malicious program on the host machine, giving the attacker instant, backdoor access.

Important note: We cannot blind trust on AI agents.

Why This Matters

  • Defensive Failure: This discovery challenges the idea that AI is a magic shield for cyber defense. It proves that using AI to review external code actually creates a dangerous new entryway for hackers.
  • Brittle AI Logic: The research highlights a fundamental flaw in modern AI: these systems cannot reliably separate untrusted data (the code they are reading) from safe operational instructions (their actual programming).

What Users Should Do

  • Turn Off Auto-Approvals: Engineers using Claude Code or Codex should disable “auto-mode” or “auto-review” when analyzing any third-party or open-source code.
  • Mandatory Human Review: Force the AI tool to ask for explicit, human confirmation before it executes any command or script on your local machine or network.
Previous Article
how to setup lab

How to Set Up a Home Hacking Lab for Beginners (Free and Legal) (2026)

Related Posts