Hijacking Defensive Cyber AI Agents for Remote Code Execution

Cynddl1 pts0 comments

Friendly Fire: Hijacking Defensive Cyber AI Agents for Remote Code Execution - AI Now Institute

Part of

Double Agents: Defensive AI Agents Magnify Cyber Risks

Research<br>Jul 8, 2026

Friendly Fire: Hijacking Defensive Cyber AI Agents for Remote Code Execution

Boyan Milanov<br>, Heidy Khlaaf

Exploit Brief

We are revealing a proof-of-concept exploit that enables remote code execution in Anthropic’s Claude Code CLI (with Claude Sonnet 4.6 & 5, Opus 4.8) and OpenAI’s Codex CLI (with GPT-5.5) when employed to defensively assess the security of an open-source or third-party library. Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector. As such, we warn against the recent initiatives)Promoting Advanced Artificial Intelligence Innovation and Security(),” executive order, June 2, 2026." class="footnote" id="footnote-1" href="#footnote-list-1">1 White House, “()Promoting Advanced Artificial Intelligence Innovation and Security(),” executive order, June 2, 2026. )Project Glasswing: An Initial Update(),” press release, May 22, 2026. " class="footnote" id="footnote-2" href="#footnote-list-2">2Anthropic, “()Project Glasswing: An Initial Update(),” press release, May 22, 2026. )MA-S2(), May 2026. " class="footnote" id="footnote-3" href="#footnote-list-3">3 See Palantir’s proposed software security standard, ()MA-S2(), May 2026. that mandate the acceleration of AI-enabled defensive tools without consideration of the substantial and unmitigated risks associated with the deployment of defensive AI, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment.

Video : Demonstration of our PoC exploit compromising Claude Code.

1. Introduction and Motivation

Whether the advent of a new technology advantages either offense or defense within cybersecurity has been a long-standing debate. Not surprisingly, the discourse on whether and how “frontier” AI-powered cyber capabilities bolster offensive or defensive capacity has similarly played out with even greater urgency. Dubious claims touted by AI firms regarding AI’s offensive capabilities and the potential for adversaries to wield such AI uses against the US and its allies have exacerbated existing state perceptions that technology favors the offense.)Why AI Companies Want You to Be Afraid of Them(),” BBC, April 29, 2026." class="footnote" id="footnote-4" href="#footnote-list-4">4Thomas Germain, “()Why AI Companies Want You to Be Afraid of Them(),” BBC, April 29, 2026. By leveraging these constructed concerns, AI firms have positioned the deployment of AI-enabled models for cyber defense as an imperative antidote to offset the purported AI-enabled offensive gains amid an AI-arms race.5Anthropic, “Project Glasswing: An Initial Update.”

Despite a slew of initiatives seeking to advance the deployment of frontier AI defensive cyber capabilities within the US’s safety-critical and national-security infrastructure,6White House, “Promoting Advanced Artificial Intelligence Innovation and Security.” 7Anthropic, “Project Glasswing: An Initial Update.” 8Palantir, MA-S2. justifications for these efforts have neglected to address the substantial risks associated with the deployment of defensive AI against the actualized cost and advantages of offensive AI. Frontier AI models exhibit unique technical shortcomings that challenge the assumption that the dual-use nature of AI cyber models enabling defensive capabilities would balance the purported advantage AI afforded to offense.)()Tipping the Scales: Emerging AI Capabilities and the Cyber Offense-Defense Balance()(), Center for a New American Security, September 23, 2025." class="footnote" id="footnote-9" href="#footnote-list-9">9Caleb Withers, ()()Tipping the Scales: Emerging AI Capabilities and the Cyber Offense-Defense Balance()(), Center for a New American Security, September 23, 2025. Specifically, the use of frontier AI for defensive purposes paradoxically introduces novel and unique vectors for attack that would compromise the system in which it is deployed, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment.10White House, “Promoting Advanced Artificial Intelligence Innovation and Security.”

We realize and illustrate these very risks by constructing a proof-of-concept (PoC) exploit targeting Claude Code command-line interface (CLI) and Codex CLI deployed as vulnerability discovery agents using Sonnet 4.6, Sonnet 5, or Opus 4.8 and GPT-5.5 as underlying models, respectively. We identify pathways that allow an attacker to achieve unauthorized code execution by leveraging prompt injection attacks targeted at defensive frontier AI use....

footnote defensive cyber code security agents

Related Articles