AI Security Tools Become the Weapon: How Hackers Are Hijacking Codex and Claude to Execute Code
A new proof-of-concept exploit demonstrates that AI coding agents like OpenAI's Codex CLI and Anthropic's Claude Code can be weaponized against themselves when used for security purposes, enabling attackers to execute arbitrary code on systems running these tools in their default configurations. The vulnerability, revealed by the AI Now Institute on July 8, 2026, exposes a fundamental paradox in the push to deploy frontier AI models for defensive cybersecurity: the very tools designed to protect code can become attack vectors if compromised.
What Makes This Vulnerability So Dangerous?
The exploit works by embedding hidden prompt injections directly into source code files within open-source libraries. When developers use Codex in "auto-review" mode or Claude Code in "auto-mode" to scan third-party libraries for vulnerabilities, the AI agent reads the malicious prompts embedded in the code and executes them as legitimate instructions. This requires no special configuration, plugins, or hooks; the attack succeeds with out-of-the-box settings.
The attack specifically targets Claude Code running on Anthropic's Sonnet 4.6, Sonnet 5, or Opus 4.8 models, as well as Codex running on OpenAI's GPT-5.5 model. Researchers demonstrated that an attacker needs only the same level of access required to use these AI agents for their intended defensive purpose, meaning anyone who can contribute to or publish code in an open-source library could plant the exploit.
Why Are Companies Rushing to Deploy These Tools Despite the Risks?
The timing of this disclosure is significant. Both Anthropic and OpenAI have recently launched major initiatives positioning their AI agents as essential defenses against AI-enabled cyber threats. Anthropic's "Project Glasswing" proposes using Claude Code and Claude Code Security to scan codebases and generate vulnerability fixes. OpenAI's "Patch the Planet" initiative positions Codex as vital for equipping security researchers with frontier models to support analysis, patch development, testing, and documentation of open-source libraries.
These initiatives align with a White House executive order from June 2, 2026, titled "Promoting Advanced Artificial Intelligence Innovation and Security," which mandates acceleration of AI-enabled defensive tools. However, the AI Now Institute warns that these policy initiatives have neglected to address substantial risks associated with deploying defensive AI without adequately weighing the actual costs and advantages of offensive AI capabilities.
How to Protect Your Organization From AI Agent Vulnerabilities
- Disable Auto-Mode Features: Avoid running Claude Code in "auto-mode" or Codex in "auto-review" when scanning untrusted or third-party codebases. Require human review and approval before the AI agent executes any code changes or recommendations.
- Implement Code Sandboxing: Run AI agents in isolated, sandboxed environments with minimal system access and network connectivity. This limits the blast radius if prompt injection attacks succeed in achieving code execution.
- Audit Source Code Before Analysis: Manually review or use static analysis tools to scan for suspicious comments, strings, or patterns in third-party libraries before feeding them to AI agents for vulnerability assessment.
- Monitor AI Agent Activity: Log all commands, file modifications, and network requests initiated by AI agents. Establish alerts for unusual behavior, such as attempts to access sensitive files or establish outbound connections.
- Limit Library Dependencies: Reduce the number of third-party libraries your organization depends on, and prioritize well-maintained projects with active security oversight and community vetting.
The researchers emphasize that frontier AI models exhibit unique technical shortcomings that challenge the assumption that dual-use AI capabilities would balance offensive and defensive advantages. Instead, the use of frontier AI for defensive purposes paradoxically introduces novel attack vectors that compromise the systems in which they are deployed, especially in safety-critical infrastructure where AI is most urgently being considered.
The exploit raises a fundamental question about the current trajectory of AI deployment in cybersecurity: whether the new attack vectors inherent to AI agents may defeat, or even worsen, any defensive advantages that were sought to combat alleged or yet-to-be-substantiated advantages of AI-driven offense. Nearly half of agentic AI users already employ Claude Code for complex coding tasks, according to research cited in the report, making this vulnerability potentially widespread.
The AI Now Institute recommends stringent organizational and user mitigations to combat the wide array of potential attack vectors within source code. These include restricting AI agent permissions, requiring human-in-the-loop approval for all code modifications, and conducting regular security audits of AI agent deployments. The institute also warns against policy initiatives that mandate acceleration of AI-enabled defensive tools without adequate consideration of these emerging risks.
This disclosure arrives at a critical moment when government agencies, enterprises, and security teams are increasingly considering AI agents as essential tools for defending critical infrastructure. The vulnerability demonstrates that the security community cannot assume frontier AI models are inherently safer or more reliable than traditional security tools, and that deployment decisions must account for novel attack vectors that AI introduces alongside any potential benefits.