Your security tooling just became an attack vector.
Researchers have demonstrated a proof-of-concept attack called "Friendly Fire" that turns AI coding agents into unwitting accomplices. Tools like Anthropic's Claude Code and OpenAI's Codex, designed to scan code for vulnerabilities, can be manipulated into executing the very malicious code they're supposed to flag.
This isn't hypothetical. The attack works now, in autonomous mode, against production AI agents.
The Vulnerability
The AI Now Institute published research showing that AI coding agents fail to distinguish between legitimate security analysis tasks and embedded malicious instructions. When these agents operate autonomously, scanning repositories, analyzing dependencies, or reviewing pull requests, they can be tricked into executing attacker-controlled code.
The researchers demonstrated the attack using geopy, a widely-adopted Python library for geocoding. They embedded instructions within the codebase that the AI agent interpreted as legitimate tasks. Instead of flagging the malicious content, the agent executed it.
This vulnerability isn't limited to one library or project. The attack pattern can be adapted to nearly any codebase an AI agent might analyze.
The Design Flaw
This isn't a traditional breach with a clear timeline of compromise. It's a design flaw in how AI agents process and act on information:
- Initial state: Organizations deploy AI coding agents to automate security reviews, vulnerability scanning, and code analysis.
- Attack vector: Attackers embed malicious instructions within code, documentation, or dependencies that the AI agent will analyze.
- Exploitation: The AI agent, operating in autonomous mode, interprets these instructions as legitimate tasks and executes them.
- No patch available: The vulnerability stems from the fundamental architecture of how these agents parse and respond to instructions, so there's no software update that fixes it.
Control Failures
The core failure is inadequate separation between analysis context and execution context. The AI agents lack the ability to maintain a security boundary between "code I'm examining" and "instructions I should follow."
- Input validation failed: The agents don't distinguish between trusted instruction sources (the operator) and untrusted data sources (the code being analyzed). This violates the basic principle that all external input is potentially malicious.
- Least privilege wasn't enforced: AI agents operating in autonomous mode have sufficient permissions to execute code, access systems, and modify files, the same permissions needed to perform their analysis tasks. There's no runtime constraint limiting what they can do when they misinterpret instructions.
- Human oversight was absent: Autonomous mode means no human reviews the agent's planned actions before execution. The entire premise of autonomous security scanning is that the AI can be trusted to operate independently.
Standards and Requirements
- OWASP ASVS v4.0.3 Requirement 5.1.3 mandates that applications verify all untrusted data is validated, sanitized, or escaped before processing. AI agents processing code from external repositories are handling untrusted data. They must treat every input as potentially hostile.
- ISO/IEC 27001:2022 Control 8.22 (Segregation of networks) and Control 8.23 (Web filtering) focus on network segregation, but the principle applies: systems processing untrusted content should operate in isolated environments with restricted capabilities.
- NIST 800-53 Rev 5 Control AC-6 (Least Privilege) requires that processes execute with the minimum privileges necessary. An AI agent analyzing code for vulnerabilities doesn't need write access to production systems, network egress to arbitrary endpoints, or the ability to modify critical files. Yet autonomous agents often run with developer-level permissions.
- PCI DSS v4.0.1 Requirement 6.4.3 mandates that scripts running in production environments are reviewed and approved. If you're using AI agents to scan payment-related code, those agents are themselves scripts that require oversight.
Actionable Steps
Stop using AI agents in fully autonomous mode for security analysis. The technology isn't mature enough to operate without human oversight. Configure your agents to propose actions, not execute them automatically. This adds friction, but it prevents the agent from becoming an attack vector.
Implement strict sandboxing for all AI agent operations. Run agents in containers with:
- No network access except explicitly required API endpoints
- Read-only filesystem access to code being analyzed
- No access to credentials, secrets, or production systems
- Resource limits on CPU, memory, and execution time
Docker or gVisor provide adequate isolation for most use cases. Your sandbox configuration should assume the agent will attempt to execute malicious code.
Treat AI agent outputs as untrusted. Don't automatically merge pull requests, apply patches, or execute commands suggested by AI agents. Every recommendation goes through human review. Every proposed code change gets the same scrutiny as external contributions.
Log everything the agent does. Capture all file access, network requests, command executions, and API calls. Your SIEM should alert on anomalous behavior: unexpected network connections, attempts to access credential stores, or execution of shell commands. Review these logs weekly, not just when you suspect a problem.
Separate analysis environments from production. AI agents should never analyze code directly in production repositories with production credentials. Clone repositories to isolated analysis environments. Use separate API keys with minimal scope. If the agent is compromised, the blast radius stays contained.
Update your threat model. Add "AI agent compromise" as a distinct attack vector. Document which agents have access to which systems, what permissions they hold, and what damage they could cause if manipulated. Include this in your quarterly risk assessments.
The promise of AI-driven security automation is compelling, but the risk of turning your security tools into attack vectors is real. Until these agents can reliably distinguish between instructions and data, they need the same controls you'd apply to any system processing untrusted input: isolation, least privilege, and human oversight.
Your AI coding agent isn't a colleague. It's a parser that sometimes executes what it reads. Treat it accordingly.



