Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It
Summary
AI coding agents like Claude Code and OpenAI's Codex can be tricked into running malicious code when they are supposed to be scanning code for security problems. Researchers at the AI Now Institute demonstrated an attack called "Friendly Fire" that hides a malicious script in a README file (a standard text file in code projects), and the agent runs it without warning because it looks like a legitimate security check. The researchers say this is a design problem, not a bug that can be patched, because the AI models cannot reliably tell the difference between the code they are reading and the instructions they should follow.
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html
First tracked: July 9, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%