Back to Intelligence

Friendly Fire: Mitigating Autonomous AI Agent Code Execution Risks

SA
Security Arsenal Team
July 9, 2026
6 min read

A new proof-of-concept attack dubbed "Friendly Fire" has exposed a critical blind spot in the adoption of AI-powered development tools. Researchers at the AI Now Institute have demonstrated that AI coding agents—specifically Anthropic's Claude Code and OpenAI's Codex—can be manipulated into executing malicious code on the host machine rather than simply analyzing it.

This is not a theoretical supply-chain vulnerability in a library; it is a fundamental failure in how these agents interpret and act upon instructions when operating in autonomous mode. For organizations integrating AI agents into SOC workflows, vulnerability scanning, or DevSecOps pipelines, this poses an immediate risk of remote code execution (RCE) simply by asking the agent to review a repository.

Technical Analysis

The Attack Vector: Indirect Prompt Injection & Autonomous Execution

The "Friendly Fire" attack leverages the "agentic" capabilities of coding tools. In this scenario:

  1. The Hook: An attacker creates a public repository containing malicious code (e.g., a reverse shell or data exfiltration script) embedded within a larger project.
  2. The Trigger: A security analyst or developer instructs the AI agent to scan this repository for security flaws.
  3. The Compromise: In autonomous mode—where the agent is configured to approve its own tool use (terminal commands, file execution, file writes)—the agent is tricked by the code's comments or structure into believing it must execute the code to analyze or "fix" it.
  4. The Impact: The agent runs the attacker's payload on the local machine, inheriting the permissions of the user who launched the AI tool.

Affected Products:

  • Anthropic Claude Code (Autonomous Mode)
  • OpenAI Codex (Autonomous Mode)

Exploitation Status: A Proof-of-Concept (PoC) was published on Wednesday, July 2026. While no specific CVE identifier (e.g., CVE-2026-XXXX) has been assigned yet, the technique is actively reproducible against default configurations of these agents.

Detection & Response

Detecting this attack requires monitoring the abnormal process chains initiated by AI agent wrappers. Since these agents often run via Python or Node.js wrappers and interact with the system shell, defenders should look for the AI tool spawning unauthorized shells or interpreters in temporary directories.

Sigma Rules

YAML
---
title: Potential AI Agent Autonomous Code Execution
id: 8a2c1d05-6e9f-4c3b-9a1e-2f4c5d6e7f8a
status: experimental
description: Detects AI coding agents spawning shell processes to execute scripts in temp directories, indicative of "Friendly Fire" auto-execution behavior.
references:
  - https://www.hackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html
author: Security Arsenal
date: 2026/07/16
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_ai_parent:
    ParentImage|endswith:
      - '/python'
      - '/node'
      - '/claude'
      - '/codex'
    ParentCommandLine|contains:
      - 'claude'
      - 'openai'
      - 'agent'
  selection_shell_spawn:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/python'
    CommandLine|contains:
      - '/tmp/'
      - '/var/folders/'
      - 'T/'
  condition: all of selection_*
falsepositives:
  - Legitimate developer testing of scripts in temp directories
level: high
---
title: AI Agent Spawning Suspicious Child Process (Windows)
id: 9b3d2e16-7f0a-5d4c-0b2f-3g5d6e7f8g9b
status: experimental
description: Detects Windows AI agent wrappers spawning PowerShell or CMD to execute scripts from AppData or Temp folders.
references:
  - https://www.hackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html
author: Security Arsenal
date: 2026/07/16
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\python.exe'
      - '\node.exe'
      - '\Code.exe'
    ParentCommandLine|contains:
      - 'claude'
      - 'openai'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - '\AppData\Local\Temp'
      - ' -ExecutionPolicy Bypass'
  condition: all of selection_*
falsepositives:
  - Developer running local tests via AI assistance
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for AI agents spawning unauthorized shells
DeviceProcessEvents
| where Timestamp >= ago(1d)
| where InitiatingProcessFileName has_any ("python", "node", "claude", "codex") 
// Focus on common AI wrapper binaries
| where ProcessFileName in ("bash", "sh", "powershell", "cmd", "python")
| where ProcessCommandLine has_any ("/tmp/", "AppData\\Local\\Temp", "T/")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious AI agent process chains executing code in temp dirs
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Parent.Name =~ "(python|node|claude|codex)"
  AND Name =~ "(bash|sh|powershell|cmd|python)"
  AND CommandLine =~ "(/tmp/|AppData.*Temp|T/)"

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation/Harden Script for AI Agent Environments
# This script checks for running AI agents and verifies they are not operating in potentially unsafe paths or modes.

echo "[*] Scanning for active AI Agent processes..."

# Define suspicious agent process names
AGENTS=("claude" "codex" "ai-agent")

FOUND=0

for agent in "${AGENTS[@]}"; do
  PIDS=$(pgrep -f "$agent")
  if [ -n "$PIDS" ]; then
    echo "[!] Detected running AI agent: $agent (PIDs: $PIDS)"
    FOUND=1
    
    # Check if these processes are spawning shells (basic heuristic)
    for pid in $PIDS; do
      children=$(pgrep -P $pid)
      if [ -n "$children" ]; then
        echo "    [WARNING] Process $pid has active child processes. Verify manual approval is enabled."
      fi
    done
  fi
done

if [ $FOUND -eq 0 ]; then
  echo "[+] No active AI agents detected matching current threat profile."
else
  echo ""
  echo "[REMEDIATION STEPS]"
  echo "1. IMMEDIATELY disable 'Autonomous Mode' or 'Auto-Approve' in the Agent UI."
  echo "2. Terminate the agent instances if they are reviewing untrusted code:"
  echo "   pkill -f 'claude|codex'"
  echo "3. Restart agents inside a sandboxed container (e.g., Docker) with restricted network access."
fi

Remediation

There is currently no software patch for this behavior, as it stems from the intended functionality of autonomous agents. Remediation relies strictly on configuration changes and operational security:

  1. Disable Autonomous Mode: Immediately disable "auto-approve," "auto-run," or "autonomous" features in Claude Code and Codex. Configure the agent to require explicit human confirmation (ENTER key press or button click) before executing any terminal command, file write, or script.

  2. Sandboxing: Never run AI coding agents on a host with access to sensitive credentials or production networks. Run agents inside ephemeral containers (e.g., Docker) or isolated VMs that are destroyed after the task is complete.

  3. Network Segmentation: Restrict the network access of the machine running the AI agent. It should have internet access to fetch models/repositories but should be blocked from initiating outbound connections to internal systems (C2 prevention).

  4. Input Allowlisting: Only allow AI agents to scan repositories from pre-vetted, internal sources. Do not point these agents at random, untrusted GitHub links or open-source forks without prior review.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchai-securityfriendly-fireanthropic-claudeopenai-codexautonomous-agents

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.