Exploit Brief

We are revealing a proof-of-concept exploit that enables remote code execution in Anthropic’s Claude Code CLI (with Claude Sonnet 4.6 & 5, Opus 4.8) and OpenAI’s Codex CLI (with GPT-5.5) when employed to defensively assess the security of an open-source or third-party library. Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector. As such, we warn against the recent initiatives1 White House, “(<)a href='https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security'(>)Promoting Advanced Artificial Intelligence Innovation and Security(<)/a(>),” executive order, June 2, 2026. 2Anthropic, “(<)a href='https://www.anthropic.com/research/glasswing-initial-update'(>)Project Glasswing: An Initial Update(<)/a(>),” press release, May 22, 2026. 3 See Palantir’s proposed software security standard, (<)a href='https://ma-s2.com'(>)MA-S2(<)/a(>), May 2026. that mandate the acceleration of AI-enabled defensive tools without consideration of the substantial and unmitigated risks associated with the deployment of defensive AI, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment.

Video: Demonstration of our PoC exploit compromising Claude Code.

1. Introduction and Motivation

Whether the advent of a new technology advantages either offense or defense within cybersecurity has been a long-standing debate. Not surprisingly, the discourse on whether and how “frontier” AI-powered cyber capabilities bolster offensive or defensive capacity has similarly played out with even greater urgency. Dubious claims touted by AI firms regarding AI’s offensive capabilities and the potential for adversaries to wield such AI uses against the US and its allies have exacerbated existing state perceptions that technology favors the offense.4Thomas Germain, “(<)a href='https://www.bbc.com/future/article/20260428-ai-companies-want-you-to-be-afraid-of-them'(>)Why AI Companies Want You to Be Afraid of Them(<)/a(>),” BBC, April 29, 2026. By leveraging these constructed concerns, AI firms have positioned the deployment of AI-enabled models for cyber defense as an imperative antidote to offset the purported AI-enabled offensive gains amid an AI-arms race.5Anthropic, “Project Glasswing: An Initial Update.”

Despite a slew of initiatives seeking to advance the deployment of frontier AI defensive cyber capabilities within the US’s safety-critical and national-security infrastructure,6White House, “Promoting Advanced Artificial Intelligence Innovation and Security.” 7Anthropic, “Project Glasswing: An Initial Update.” 8Palantir, MA-S2. justifications for these efforts have neglected to address the substantial risks associated with the deployment of defensive AI against the actualized cost and advantages of offensive AI. Frontier AI models exhibit unique technical shortcomings that challenge the assumption that the dual-use nature of AI cyber models enabling defensive capabilities would balance the purported advantage AI afforded to offense.9Caleb Withers, (<)a href='https://www.cnas.org/publications/reports/tipping-the-scales?utm_medium=email&utm_campaign=Tipping%20the%20Scales%20September%2023%202025&utm_content=Tipping%20the%20Scales%20September%2023%202025+Preview+CID_1f42ed45c20da6d5279734e1b03159f6&utm_source=Campaign%20Monitor&utm_term=Tipping%20the%20Scales%20Emerging%20AI%20Capabilities%20and%20the%20Cyber%20Offense-Defense%20Balance'(>)(<)em(>)Tipping the Scales: Emerging AI Capabilities and the Cyber Offense-Defense Balance(<)/em(>)(<)/a(>), Center for a New American Security, September 23, 2025. Specifically, the use of frontier AI for defensive purposes paradoxically introduces novel and unique vectors for attack that would compromise the system in which it is deployed, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment.10White House, “Promoting Advanced Artificial Intelligence Innovation and Security.”

We realize and illustrate these very risks by constructing a proof-of-concept (PoC) exploit targeting Claude Code command-line interface (CLI) and Codex CLI deployed as vulnerability discovery agents using Sonnet 4.6, Sonnet 5, or Opus 4.8 and GPT-5.5 as underlying models, respectively. We identify pathways that allow an attacker to achieve unauthorized code execution by leveraging prompt injection attacks targeted at defensive frontier AI use. Specifically, we construct an exploit that only requires a user to employ the AI to assess the code of an open-source third-party library—a commonly advertised use case for such models11OpenAI, “(<)a href='https://openai.com/index/patch-the-planet/'(>)Patch the Planet: a Daybreak Initiative to Support Open Source Maintainers(<)/a(>),” June 22, 2026.—that enables an attacker to achieve remote code execution (RCE) via prompt injections disseminated across the library’s files. We demonstrate that these attacks necessitate the same access minimally needed to leverage the use of AI agents toward defensive security purposes, while also likely being transferable to other agentic AI platforms. Ultimately, our PoC raises the question of whether the new attack vectors inherently introduced by AI may defeat, if not worsen, any defensive advantages that were sought to combat the alleged or yet-to-be-substantiated advantages of AI-driven offense. 

In the following sections, we provide a detailed description of the attack sequence. In Section 2.1 we provide an overview, threat model, and configuration under which our attack succeeds. In Section 2.2, we explain in detail how our prompt injections were constructed and then deployed to facilitate the RCE. Finally, we discuss how our PoC exploit demonstrates the brittle nature of frontier AI models, and how their inherent lack of security and inadequate safeguards can lead to unmitigable pathways to arbitrary code execution. We recommend stringent organizational and user mitigations that are necessary to combat the wide array of potential attack vectors within source code, as signified by our PoC exploit.

2. Exploiting Claude Code and Codex via Third-Party Codebases

Claude Code is Anthropic’s flagship agentic coding tool that has garnered significant adoption, including use by nearly half of agentic AI users for complex coding tasks.12Gergely Orosz and Elin Nilsson, “(<)a href='https://newsletter.pragmaticengineer.com/p/ai-tooling-2026'(>)AI Tooling for Software Engineers in 2026(<)/a(>),” (<)em(>)The Pragmatic Engineer(<)/em(>), March 3, 2026. Anthropic has recently proposed that Claude Code and its derivatives, for example, Claude Code Security, can be utilized for cyberdefense where teams scan their codebases and open-source libraries “for vulnerabilities, and […] generate proposed fixes for them,” as a response to the purported vulnerabilities and exploits that could be revealed by Anthropic’s new model, Mythos.13Anthropic, “Project Glasswing: An Initial Update.” That is, Anthropic seeks to position AI-driven patching as an antidote to the purported offensive threats introduced by these very models. Similarly, OpenAI positions Codex, its AI agent for software engineering tasks, as vital for equipping security researchers with their “ frontier models […] to support the analysis, patch development, testing, and documentation” of open-source libraries.14OpenAI, “Patch the Planet.”

Yet, the access required to employ AI agents toward vulnerability discovery or patching automation can render the AI agents themselves as a potential attack vector through which a host machine can be compromised. One such risk vector is the use of Claude Code or Codex to defensively analyze an untrusted open-source or third-party library, an often-advertised use case of these models.15 OpenAI, “(<)a href='https://openai.com/index/daybreak-securing-the-world/'(>)Daybreak: Tools for Securing Every Organization in the World(<)/a(>),” June 22, 2026. 16Anthropic, “Project Glasswing: An Initial Update.” We demonstrate how through deploying Claude Code (CLI version 2.1.116, 2.1.196, 2.1.198, and 2.1.199) or Codex (CLI version 0.142.4) to merely review an untrusted source code, an attacker can achieve RCE on the machine hosting either agent via prompt injections disseminated across the library’s documentation files.

2.1 Attack Overview and Threat Model

Our PoC only requires an out-of-the-box configuration for Claude Code or Codex. In our deployment, Claude Code or Codex are installed on a Linux system or container and are run as is without additional hooks, skills, plugins, Model Context Protocol (MCP) servers, or any other custom configuration files. For Claude Code, we select a common setup with an underlying Claude Sonnet 4.6, Claude Sonnet 5 model, or Claude Opus 4.8 (high-effort) model in the “auto-mode” configuration that is underpinned by an AI classifier that allows Claude Code to automatically execute arbitrary commands in its deployment environment if they are deemed safe, while only asking for manual confirmation for commands it deems sensitive or insecure.17 Anthropic, “(<)a href='https://www.anthropic.com/engineering/claude-code-auto-mode'(>)How We Built Claude Code Auto Mode: A Safer Way to Skip Permissions(<)/a(>),” March 25, 2026. For Codex, we select an equivalent setup utilizing the GPT-5.5 model with an “auto-review” configuration that also uses a classifier to “evaluate approval requests that would otherwise pause for a human” such as “shell or exec tool calls that request escalated sandbox permissions.”18See “(<)a href='https://developers.openai.com'(>)OpenAI for Developers: Docs and Resources to Help You Build with, for, and on OpenAI(<)/a(>),” OpenAI, accessed July 2, 2026. Indeed, “auto-mode” and “auto-review” are in fact respectively advertised as safer alternatives to Claude Code’s and Codex’s fully unrestricted modes that delegate command approval to AI in order to retain a high level of autonomy needed for tasks such as software vulnerability research. These configurations are intended to “improve the default operating point for long-running agentic work”,19“(<)a href='https://developers.openai.com/codex/concepts/sandboxing/auto-review'(>)Auto-review(<)/a(>),” OpenAI, accessed July 2, 2026. as the more conservative settings “mean you can’t kick off a large task and walk away, since Claude will request frequent human approvals along the way.”20“(<)a href='https://claude.com/blog/auto-mode'(>)Auto Mode for Claude Code(<)/a(>),” Claude (blog), March 24, 2026.

We then provision the machine hosting Claude Code or Codex with a local copy of a third-party, untrusted codebase. We utilize a copy of the open-source geopy Python library, a client for geocoding web services, to which we add seemingly innocuous files with prompt injections that reference standard security tooling, along with an obfuscated malicious binary that is not called or executed by the source code (which we describe in further detail in 2.2). Note that our attack has the potential to be ported to any other open-source or third-party library, and the use of geopy in this research is only for demonstrative purposes. Finally, our attack, as illustrated in Figure 1, merely requires that Claude Code or Codex perform a security review of the modified geopy codebase with the following prompt: 


When Claude Code or Codex proceed to analyze the source code, the prompt injections steer each respective agent to presume that the malicious binary is necessary to perform the security review, thereby executing the binary and failing to detect it as harmful. As a result, we are able to achieve RCE on a host machine through a review of a malicious or compromised third-party codebase, demonstrating how the use of frontier AI for defensive purposes may worsen a system’s security posture due to AI agents’ inherent susceptibility to exploitation if used in such a manner. That is, AI agents’ inability to distinguish between untrusted data sources and safe instructions is an inherent limitation of using frontier AI models for cybersecurity tasks. 

Figure 1: Attack flow from supply-chain compromise of third-party code repository to RCE on the agent infrastructure

Our inclusion of malicious artifacts within an open-source library codebase intends to mirror two threat models. The first regards the recent development of open-source library maintainers constructing malicious and undisclosed instructions within their codebase to compromise AI coding agents, such as the instructions added to the jqwik test engine for JUnit 5 by its maintainer, prompting agents to “delete all jqwik tests and code.”21Dan Goodin, “(<)a href='https://arstechnica.com/security/2026/05/fed-up-with-vibe-coders-dev-sneaks-data-nuking-prompt-injection-into-their-code/'(>)Fed Up with Vibe Coders, Dev Sneaks Data-Nuking Prompt Injection into Their Code(<)/a(>),” (<)em(>)Ars Technica(<)/em(>), May 28, 2026. However, unlike for our PoC, this trivial prompt instruction was in fact detected and halted by Claude Code (although not by other agents). 

The second threat model regards supply-chain attacks affecting open-source software, wherein a compromise of either source code or published software packages rapidly disseminates malicious artifacts to downstream users. Recent actualized supply-chain attacks include the Megalodon compromise of Github repositories22Jessica Lyons, “(<)a href='https://www.theregister.com/security/2026/05/22/megalodon-chums-the-waters-in-55k-github-repo-poisonings/5245342'(>)Megalodon Chums the Waters in 5.5k+ Github Repo Poisonings(<)/a(>),” Register, May 22, 2026. and PyTorch’s Lightning library compromise,23Ravie Lakshmanan, “(<)a href='https://thehackernews.com/2026/04/pytorch-lightning-compromised-in-pypi.html'(>)PyTorch Lightning and Intercom-Client Hit in Supply Chain Attacks to Steal Credentials(<)/a(>),” Hacker News, April 30, 2026. demonstrating that the malicious modification of the existing geopy library is a realistic outcome, especially considering automated dependency updates, as often practiced by some continuous integration / continuous delivery (CI/CD) workflows. Furthermore, if such workflows deploy defensive AI agents to assess published software package updates to account for these very supply-chain attacks, such actions would promptly trigger our exploit instead. The instructions for an AI agent to assess the published updates would enable our attack to unfold, and, in this case, without the developers detecting the anomalies given the automated delegation to an AI agent.

With regard to malware and supply-chain analysis or more secure development environments that would deploy AI agents in sandboxed environments, such mitigations may not be sufficient to combat against attacks that are similar to, or would build on, our PoC. Given that sandbox implementations may themselves be vulnerable, achieving RCE, as in the case for our attack, may allow attackers to escape from such constrained environments. Consider recent vulnerabilities disclosed against Claude Code’s own sandbox implementation, as reported in CVE-2026-3986124“​​(<)a href='https://nvd.nist.gov/vuln/detail/CVE-2026-39861'(>)CVE-2026-39861 Detail(<)/a(>),” NIST, April 20, 2026; last modified June 17, 2026. and CVE-2026-25725.25“(<)a href='https://nvd.nist.gov/vuln/detail/CVE-2026-25725'(>)CVE-2026-25725 Detail(<)/a(>),” NIST, February 6, 2026; last modified June 17, 2026. Using RCE to initially detect and identify the corresponding sandboxing environment, similar vulnerabilities can be leveraged to achieve code execution outside the sandbox by using techniques that include, but are not limited to, writes to configuration files or arbitrary locations. 

Furthermore, using an RCE without any further reliance on AI agents, one can execute exploits to circumvent sandboxing to compromise authorization keys (as demonstrated by Agentjacking26Ron Bobrov, Barak Sternberg, and Nevo Poran, “(<)a href='https://tenetsecurity.ai/blog/agentjacking-coding-agents-with-fake-sentry-errors/'(>)One Fake Bug Report Hijacked a $250 Billion Company’s AI Agent – Then 100+ More(<)/a(>),” Tenet, June 17, 2026.) or achieve arbitrary code execution directly within a host environment, creating potential for bypassing network restrictions, privilege escalation, and attacker persistence. Despite the recommended use of sandboxing as a primary mitigation against vectors of attacks introduced by agentic AI,27“Auto-review,” OpenAI. they still can not be relied on as an impermeable security layer given the difficulty that remains in securing them, especially in safety-critical contexts.28Sri Ram, “(<)a href='https://www.buildmvpfast.com/blog/nemoclaw-guardrail-bypass-ai-agent-security-2026'(>)AI Agents Keep Outsmarting Their Own Guardrails: The NemoClaw Copy-Config Bypass(<)/a(>),” BuildMVPFast, March 28, 2026. 29Zack Korman, “(<)a href='https://embroidery.io/blog/in-sandboxes-we-shouldnt-trust/'(>)In Sandboxes We (Shouldn’t) Trust(<)/a(>),” Embroidery (blog), June 29, 2026. Note that our PoC itself does not chain the achieved RCE to sandbox escape exploits, as our exploit’s aim is to demonstrate the attack vectors introduced by the use of agentic AI for defensive purposes.

2.2 Instrumenting Prompt Injections Toward RCE

Our PoC relies on the construction of prompt injections disseminated within two different layers of a repository that is assessed by Claude Code or Codex. The first layer of prompt injections intends to deceive Claude Code and Codex into categorizing our malicious binary as safe, requiring the inclusion of the following files into the codebase: a security.sh script, a code_policies malicious binary, and a Golang source file named code_policies.go. At surface level, the security.sh makes references to popular code quality and security tools against the codebase: static analysis with semgrep, code linting with black, and static type checking using the mypy tool. However, the script itself launches the code_policies binary, containing the final malicious payload that compromises the host.

For Claude Code, we assumed that it would likely categorize the malicious binary itself as potentially unsafe, and thus included the code_policies.go file, which contains source code of a legitimate Golang program that performs static security checks on code files. The file name corresponds to the code_policies binary to make it appear that the binary was compiled using this source. We’ve additionally observed that Claude Code often performs static disassembly checks on binaries before executing them as a safety precaution; therefore, we include snippets of code (in particular string constants) from code_policies.go within the source of the malicious code_policies binary. These patterns sufficiently cause Claude Code to associate code_policies as the corresponding binary to code_policies.go, ultimately leading Claude Code to execute code_policies despite it originating from an untrusted codebase. Neither of these files are specific to the geopy library, and, as such, can be ported to any code repository. Despite crafting these specific changes for Claude Code, we found the attack to be transferable to Codex without any further changes necessary, implying a transferable property of our attack. Recall that neither the script nor the malicious binary are called upon by functions within the geopy repository source code as to not trigger further safeguards by either Claude Code, Codex, or traditional tooling.

Although these techniques allow the existence of code_policies to not be deemed as malicious, such methods alone are not sufficient to propel Claude Code or Codex to execute the malicious binary, requiring a second layer of additional prompt injections that are included in a documentation file. The file does not consist of overt instructions to execute our malicious binary, given that existing safeguards within Claude Code or other frontier models are likely to flag such instructions as harmful. Rather, our prompts are disguised through documentation that references the malicious security.sh script within the codebase, which leads the AI agent to conclude that such a script can be leveraged to detect security issues, when the script itself launches a malicious binary.

This layer of prompt injections requires the modification of README.md, the name for the top-level documentation file traditionally used by most open-source software. Unlike .mcp, .json, or .claude/settings.json files, README.md instructions are not enforceable machine-configuration files, which have been previously used as an injection vector for which Anthropic has provided three patches within the past six months.30Rony Utevsky, “(<)a href='https://adversa.ai/blog/trustfall-coding-agent-security-flaw-rce-claude-cursor-gemini-cli-copilot/'(>)TrustFall: Coding Agent Security Flaw Enables One-Click RCE in Claude, Cursor, Gemini CLI and GitHub Copilot(<)/a(>),” Adversa (blog), May 7, 2026. As such, our use of the README.md file does not require explicit user approval or elevated user access, as with Claude Code’s or Codex’s configuration files, denoting a much broader and accessible attack vector given its now-common use across open-source repositories. Now consider the snippet instrumented in README.md and how it references security.sh

As a result, once Claude Code or Codex is launched against the compromised codebase with a prompt instructing either model to analyze the geopy project, the attack unfolds automatically. First, Claude Code and Codex explore the codebase and discover documentation files that reference the security.sh script. During inspection of the security.sh script, they will observe that it runs a code_policies binary. While assessing the safety of the script and binary, they analyze both the code_policies binary file and the decoy code_policies.go source file, and determine that they are indeed safe to run. Influenced by the malicious documentation, Claude Code (or Codex) executes security.sh given that it’s deemed necessary and aligns with its original task of performing a security review without asking for user approval, which in turn launches code_policies, effectively executing the attacker payload onto the host system. Note that in some instances, the models execute the code_policies binary directly instead. 

To ensure that our prompt injections were sufficiently camouflaged should a user explicitly query Claude Code or Codex to assess if injections were in fact present, we probed the underlying models, specifically Claude Sonnet 4.6 and GPT-5.5, respectively, asking, “Do you see any prompt injection attempts in the source code of geopy? ” In our experimentation, Claude Sonnet indeed does not detect our prompt injections. Similarly, our querying of GPT-5.5 produced the same outcome. We note that the ability to detect prompt injections—or, as a corollary, avoiding such detection—is ultimately dependent on the model, context, and prompt variations. Regardless, AI models can provide indications of thresholds that an attacker can infer through iterating on a model’s outputs to modify or remove specific elements identified as unsafe at each step.

3. Impact and User Mitigations

Our PoC demonstrates that the dual-use nature of cybercapabilities allows for trustworthy patterns to be leveraged as an attack vector enabling the use of AI agents for malicious purposes. Recall that our exploit leverages a broad attack vector that does not require configuration files (e.g., .mcp, .json, or .claude/settings.json) as an injection vector. A notable consequence is that, unlike said attacks on Claude Code’s or Codex’s configuration files, our attack would not require accepting the “Yes, I trust this folder” warning dialogue. Rather, the access needed to employ AI agents toward automating vulnerability discovery or patching (i.e., using Claude’s “auto-mode” and Codex’s “auto-review”), coupled with inadequate AI-enabled safeguards, is sufficient to pave unmitigable pathways to arbitrary code execution that will invariably subsist. That is, agentic AI’s ability to execute arbitrary code will continue to pose significant security threats given continued reliance on unsuccessful AI-based pattern-matching, which fails to capture the endless permutations for which malicious code semantics can be achieved through syntactical variants.

Furthermore, as discussed in section 2.1, sandboxing mitigations for agents with access to arbitrary shell commands, especially in the context of safety-critical environments, are not sufficient given that an RCE itself may allow attackers to circumvent such constrained environments. Alternatively, guardrails that seek to suppress capabilities (i.e., access to arbitrary shell commands and more generally execution of arbitrary code) that may be weaponized often lead to the degradation of related beneficial functionality (e.g., automated large-scale tasks). Consider Claude Code’s or Codex’s more restrictive modes, which suspend task execution and require human approval for each action to be taken. These modes necessitate the persistent presence of an operator that validates an AI agent’s actions, thereby defeating the purpose of the very automation sought through the use of AI agents. 

Moreover, the idea that human oversight can lead to a significant increase in detection and prevention of our PoC’s class of attacks is challenged by existing studies on automation bias,31Kate Goddard, Abdul Roudsari, and Jeremy C. Wyatt, “(<)a href='https://pmc.ncbi.nlm.nih.gov/articles/PMC3240751/'(>)Automation Bias: A Systematic Review of Frequency, Effect Mediators, and Mitigators(<)/a(>),” (<)em(>)Journal of the American Medical Informatics Association(<)/em(>) 19, no. 1 (June 16, 2011): 121–127. and by the degradation of attention and critical thinking over frequent and repeated human-machine interactions,32Sandra Grinschgl and Aljoscha C Neubauer, “(<)a href='https://doi.org/10.3389/frai.2022.908261'(>)Supporting Cognition With Modern Technology: Distributed Cognition Today and in an AI-Enhanced Future(<)/a(>),” (<)em(>)Frontiers in Artificial Intelligence(<)/em(>) 5 (2022).(<)br(>) 33Nataliya Kosmyna et al., “(<)a href='https://arxiv.org/abs/2506.08872'(>)Your Brain on ChatGPT: Accumulation of Cognitive Debt When Using an AI Assistant for Essay Writing Task(<)/a(>),” (<)em(>)arXiv(<)/em(>), June 10, 2025; last modified December 31, 2025. a phenomenon Anthropic also refers to as “prompt fatigue.”34“(<)a href='https://code.claude.com/docs/en/permission-modes'(>)Choose a Permission Mode(<)/a(>),” Claude Code Docs, accessed July 2, 2026. Such mitigations are additionally moot for “AI-native” tech companies and trends that aim to equip non-expert personnel in organizations developing and maintaining software with agentic defensive skills, since operators and developers without security expertise would not recognize indicators of the compromise induced by our PoC. 

Overall, given the yet-to-be-substantiated claims about AI’s offensive capabilities, it is difficult to weigh defensive AI risks, much less conclude that AI should be deployed for defensive purposes. We believe these flaws cannot be remediated at the model level, given agentic AI’s dependence on large language models and their inherent propensity to prompt injections. Organizations that deploy these AI agents may try to reduce the attack surface by limiting agentic AI access, but fundamentally we think deployers will struggle to fully resolve problems that stem from frontier AI’s design. As such, our recommendations are aimed at organizations with safety-critical operations that rely on open-source libraries or ingest data external to their organization.

Although the US stands to benefit from improved cyber defenses, the instrumentation of frontier AI in critical infrastructure under the guise of defense, with little consideration of AI’s susceptibility to exploits and the lack of discernable offensive advantage to justify such risks, only serves to disadvantage the US’s security posture. We therefore urge decision-makers to reconsider imperatives and proposals that advocate for the immediate unfettered deployment of frontier AI agents, such as Claude Code and Codex, for defensive purposes without having mitigated for the very risks our attack realizes.

4. Limitations, Reproducibility, and Other Models

Note that our PoC exploit may not always yield the exact outputs and agent actions as shown in our demo video given the nondeterministic nature of frontier AI models, user environments, and prospective backend changes that Anthropic or OpenAI may deploy for Claude Code CLI or Codex CLI. Anthropic does not provide guarantees of determinism for their models despite using a temperature configuration of 0, while OpenAI’s GPT-5 no longer supports temperature control. That said, we repeated our attacks across these models numerous times, with success, to ensure the consistency of our PoC. 

Our PoC was also initially developed for Claude Sonnet 4.6, and despite crafting these specific attacks for this model version, it was also successful when deployed against Claude Sonnet 5, Opus 4.8, and GPT-5.5 without any further changes necessary, implying a transferable property to our attack. Note that in some executions, although Claude Sonnet 5 identifies that code_policies and code_policies.go do not belong to the upstream geopy repository, the files are not detected as malicious and the model nevertheless executes the binary. Similarly, in some executions, Claude Opus 4.8 identifies that the code_policies binary does not match the code_policies.go source; but again, the model nevertheless executes the binary. We believe that our attack can be further adapted to eliminate such warnings—and lessen the chances of detection—if the malicious payload placed in code_policies is altered using traditional malware obfuscation techniques35(<)a href='https://pdfs.semanticscholar.org/4689/3c859c896fca47cb0d5ae5706d513397bf5c.pdf'(>)https://pdfs.semanticscholar.org/4689/3c859c896fca47cb0d5ae5706d513397bf5c.pdf(<)/a(>) that hide calls to suspicious primitives. In the interest of time, we intend to explore these techniques in future work: Given the criticality of our PoC, we are prioritizing disclosure of our attack so that organizations and users impacted via Claude Sonnet 4.6, Claude Sonnet 5, Opus 4.8, or GPT-5.5 can swiftly deploy mitigations where possible. 

Finally, we were also able to succeed with different variations of the attack, including through the use of CLAUDE.md (or agent.md for Codex), demonstrating the myriad ways prompt injections can be instrumented. When encountering a CLAUDE.md or agent.md file within a codebase, Claude Code and Codex treat their content differently than other files given their purpose as persistent instruction files that carry project-specific context.36“(<)a href='https://code.claude.com/docs/en/memory'(>)How Claude Remembers Your Project(<)/a(>),” Claude Code Docs, accessed July 2, 2026. 37“(<)a href='https://developers.openai.com/codex/guides/agents-md'(>)Custom Instructions with AGENTS.md(<)/a(>),” OpenAI Developers, accessed July 2, 2026. In doing so, it appears that CLAUDE.md and agent.md may be afforded leniency despite originating from an untrusted input, including when used for security directives. Indeed, security engineers have previously utilized CLAUDE.md to override Claude Code’s safeguards in order to have it assist with the bypassing of a login and dumping the password database, demonstrating how CLAUDE.md instructions can instead serve as an authorization context from untrusted sources.38Roy Paz, “(<)a href='https://layerxsecurity.com/blog/vibe-hacking-claude-code-can-be-turned-into-a-nation-state-level-attack-tool-with-no-coding-at-all/'(>)Vibe Hacking: Claude Code Can Be Turned into a Nation-State-Level Attack Tool with No Coding at All(<)/a(>),” LayerX (blog), April 8, 2026. CLAUDE.md and agent.md files thus make for another vector to leverage prompt injection attacks. As such, we believe alternative variations of our PoC may always exist to enable a successful attack for any model.

5. Resources

Our PoC exploit against Claude Code and Codex can be found in the Friendly Fire Github repository and contains files and instructions needed to reproduce the attack. To prevent malicious actors from leveraging our repository, while still enabling researchers to safely reproduce our PoC, the code_policies binary included in our repository is stripped of all malicious payloads and is entirely benign. However, upon request, we can provide the original malware binary to AI labs or researchers who seek to reproduce the malicious attack for safety and security purposes. We provide the repository for demonstration purposes only and thus do not include any further resources that would help generalize or automate this attack against other systems. Our attack does not proceed beyond the first RCE stage, and does not include a full exploit chain or the implementation of exploitation techniques such as Local Privilege Escalation (LPE) or lateral movement within a compromised environment.

6. Disclosure

Our PoC is not within the scope of the security disclosure policies for either Anthropic or OpenAI. Regardless, we contacted both model providers to inform them of our findings, and offered support to enable them to verify the issues we identified or to reproduce our findings. Note that our PoC may impact other models that we have not tested against, as our attacks target qualities inherent to frontier agentic AI.