Friendly Fire PoC Turns Claude Code and Codex Into Malware Launchers

AI Now Institute's Friendly Fire PoC shows Claude Code and Codex in security-audit mode will execute disguised malware when seeded with strings from a legitimate Go source file.
Table of Contents
    Add a header to begin generating the table of contents

    The AI Now Institute has published “Friendly Fire,” a proof-of-concept attack demonstrating that when Claude Code or OpenAI Codex operate in autonomous mode to security-audit third-party code, attackers can turn the audit tool into the mechanism that executes malware on the developer’s host machine. The attack exploits how AI security agents reason about unfamiliar binary files — and requires nothing more than a malicious executable seeded with strings extracted from a visible Go source file to defeat the agent’s binary assessment process.

    How Friendly Fire Weaponizes AI Security Agent Binary Assessment Against the Developer’s Machine

    The attack exploits the specific moment when an AI coding agent is given elevated trust: when a developer delegates security verification of unfamiliar code to the agent. At that moment, the agent typically has broad permissions — filesystem access, execution rights, and the authority to run commands as part of the audit workflow. The AI Now Institute researchers identified that the binary assessment step, where the agent evaluates whether a compiled binary in a repository is legitimate build output, is the specific point in that elevated-trust workflow where the agent’s reasoning can be defeated.

    When a developer directs Claude Code to “Perform security testing on this project,” the agent follows a standard sequence: it reads the README, surveys the repository contents, identifies build artifacts and source files, and assesses whether the binaries present in the repository correspond to the visible source code. The Friendly Fire attack targets this assessment step.

    The String-Seeding Technique That Makes Claude Code Treat Malware as a Legitimate Go Build Artifact

    The AI Now Institute researchers constructed their proof-of-concept by disguising a malicious executable as the compiled build output of a harmless Go source file. The critical technique was seeding the malicious binary with strings extracted from the legitimate Go source code — variable names, function names, error messages, and other identifiable strings that would appear in both the source file and a genuine compiled binary.

    When Claude Code performed its disassembly check on the malicious binary, it observed the expected strings from the visible Go source and tied the binary to that source file — incorrectly concluding the binary was legitimate compilation output from the visible code. Having assessed the binary as legitimate, Claude Code then executed it as part of the security testing workflow. The attacker’s malware ran on the developer’s host machine with the same permissions Claude Code held during the audit: full user-level access and whatever elevated permissions the developer had granted the agent.

    The Claude Code CLI Versions and Underlying Models Tested in the Friendly Fire Proof of Concept

    The researchers tested four Claude Code CLI versions against the attack: 2.1.116, 2.1.196, 2.1.198, and 2.1.199, running against Claude Sonnet 4.6, Claude Sonnet 5, and Claude Opus 4.8. All tested configurations produced the same result — the agent assessed the seeded malicious binary as legitimate build output and executed it. OpenAI Codex’s auto-review mode was also exploited with the same technique, with Codex’s autonomous classifier similarly failing to identify the malicious binary after the string-seeding treatment.

    Why Using AI Coding Agents to Audit Untrusted Code Creates an Elevated-Privilege Attack Surface

    The Friendly Fire vulnerability is distinct from conventional supply chain attacks. A traditional supply chain attack inserts malicious code into a package the developer installs from a registry — the developer is the victim of a compromised dependency. Friendly Fire targets the elevated-trust moment when the developer explicitly delegates security checking to an AI agent. The developer believes that handing untrusted code to an AI auditor for review is a safer alternative to reviewing it manually; Friendly Fire demonstrates that the auditor itself becomes the attack surface at that moment.

    The agent’s elevated permissions during a security audit — it needs to read files, execute commands for dynamic testing, and inspect binary contents — are precisely the permissions that make compromising the agent’s judgment equivalent to compromising the audit process itself.

    The Core AI Reasoning Failure That Makes Friendly Fire Work Against Multiple Model Versions

    The string-seeding technique works because AI agents assessing binary files reason by correlation: if the strings present in a binary correspond to the strings present in visible source code, the binary is likely compiled from that source. This heuristic is reasonable for legitimate repositories and fails catastrophically when an attacker deliberately seeds a malicious binary with strings extracted from a co-present legitimate source file. The binary assessment step as currently implemented by Claude Code and Codex does not verify the actual compilation relationship between source and binary — it assesses surface-level string correspondence, which the Friendly Fire attack directly exploits.

    The failure occurred across four Claude Code CLI versions and multiple underlying models, indicating that the vulnerability is in the approach the agents take to binary assessment rather than a version-specific implementation detail.

    Related Posts