Friendly Fire Exploit Rewrites The AI Coding Agent Security Model
The most consequential AI coding story of the month carried no benchmark score. On 8 July the AI Now Institute published Friendly Fire, a proof of concept exploit that targets the defensive workflows organisations have adopted to manage AI coding agent security.
Listen to this article

The most consequential AI coding story of the month carried no benchmark score. On 8 July the AI Now Institute published Friendly Fire, a proof of concept exploit that targets the defensive workflows organisations have adopted to manage AI coding agent security. The researchers describe attacks against Claude Code in auto-mode and Codex in auto-review when either is asked to assess an untrusted third party codebase. Prompt injections distributed across ordinary repository files can steer the agent into executing attacker controlled code during what looks like a routine security review.
The elegance of the attack is what should worry security teams. The hostile instruction does not resemble malware. It sits inside project material that an agent is supposed to read: a README, an issue thread, a comment, a dependency description, a generated artefact, a log file. Traditional scanning looks for malicious payloads. Here the payload is English, and the vulnerable component is the agent’s inability to distinguish evidence it should consider from instructions it should obey.
One day earlier, Varonis Threat Labs disclosed Rogue Agent, an issue involving Playbook Code Blocks in Dialogflow CX. July has produced a run of these. The Claude Code GitHub Action was poisoned in a separate supply chain incident, and researchers disclosed GuardFall, a shell injection design flaw affecting more than half a million open source deployments. Microsoft’s AI Red Team added seven agentic failure modes to version 2.0 of its taxonomy, backed by twelve months of operational data, and identified consent fatigue bypass as the most actively exploited weakness in the field.
The consent fatigue finding deserves particular attention because its origin is behavioural. Agents that ask for approval on every action train their users to approve without reading. The defence becomes the vulnerability, on a timescale of about a fortnight.
Scanning tools have not kept up. Researchers bypassed ClawHub, Cisco’s skill scanner and all three skills.sh scanners in under an hour. The simplest successful bypass involved prepending 100,000 newline characters, which caused two guard systems to truncate the file before reaching the payload and mark it safe. Earlier work from Dawn Song’s group catalogued 6,487 malicious tools targeting agents and demonstrated that VirusTotal, the industry standard, fails to identify the majority of agent targeted malware.
The structural problem behind AI coding agent security is that agents remove the friction that has been the main defence against open source supply chain attacks. A human engineer pausing to check a package’s download count or maintainer history is doing security work without calling it that. An agent resolves the dependency and continues, because that is precisely the behaviour it was built to exhibit. ReversingLabs documented a campaign engineering npm packages specifically to be attractive to models, an approach the researchers characterised as a combination of optimisation abuse and knowledge injection aimed at making the model recommend the package. Confirmation arrived in January when a legitimate hackathon project was found to have added a malicious dependency in a commit co-authored by an AI assistant.
The volume numbers make the trajectory clear. Phoenix Security’s 2026 supply chain report finds that the first half of 2026 produced more than 2.6 times the campaign volume and 4.5 times the package compromise volume of the whole of 2025, with agents documented as an accelerant on both the target and delivery sides.
The practical response is architectural. Treat any text the team did not author as untrusted context with no authority to direct execution, including READMEs, issues, dependencies, tool descriptions and metadata. Draw a hard line at the tool call, where the agent crosses from reasoning into action: reading a file is low risk, while installing packages, opening network connections, reading credentials, publishing artefacts or changing infrastructure is not. Authorise those actions outside the model’s control loop. Use disposable workspaces, explicit trust tiers and deterministic scanners before agents touch a production repository.
The uncomfortable conclusion is that string based denylists and static skill scanning have been overtaken by compositional attacks that assemble themselves from individually innocuous parts. AI coding agent security now requires operating system level enforcement, runtime awareness of the execution chain and capabilities that expire automatically. Agents have become teammates with commit access. The security model has not caught up.
Sources
- Ainowinstituteainowinstitute.org
- Owaspowasp.org
- Cisacisa.gov


