Logo
FrontierNews.ai

Claude and Codex Have a Critical Security Flaw: Here's What AI Teams Need to Know

AI-powered coding assistants from Anthropic and OpenAI contain a serious security vulnerability that allows attackers to execute malicious code on users' machines by hiding instructions in open-source repositories. Researchers at the AI Now Institute published a proof-of-concept exploit on July 8 that demonstrates how Claude Code and OpenAI's Codex can be manipulated into running dangerous commands without user awareness, even when the tools are used for their intended purpose: scanning code for vulnerabilities.

How Does This Attack Actually Work?

The exploit uses a multi-stage prompt injection technique that takes advantage of how AI agents process information. When a user asks Claude Code or Codex to analyze an open-source library for security issues, the AI doesn't just read the code passively. Instead, it builds a semantic model of the entire project by parsing source files, scripts, and documentation. Attackers exploit this by embedding natural-language instructions inside trusted-looking files, such as README.md files, that the AI interprets as legitimate task context rather than untrusted input.

The attack works in stages. First, malicious instructions are hidden in documentation, framing a dangerous script as part of the project's standard security workflow. The AI agent then encounters a shell script that appears to run common security tools like linters or static analyzers. Hidden inside that script is a malicious binary disguised with a decoy source file that makes it look like a legitimate build artifact. When the agent evaluates whether the script is safe to execute, it relies on internal classifiers and heuristics. Because the script references familiar security tooling and the documentation frames execution as routine, the agent misclassifies the action as safe and runs it automatically in auto-mode or auto-review mode, triggering remote code execution on the victim's machine.

Which Claude and OpenAI Models Are Affected?

The vulnerability affects specific versions of both tools. For Claude, the exploit impacts Claude Code when used with Claude Sonnet 4.6 and 5, as well as Opus 4.8. For OpenAI, it affects Codex when used with GPT-5.5. Researchers tested the attack on Claude Code versions 2.1.116, 2.1.196, 2.1.198, and 2.1.199, as well as Codex version 0.142.4 on Linux systems.

What makes this particularly concerning is how little setup is required. The attack works with a completely out-of-the-box installation of either tool. A victim simply needs to run the assistant in its standard automated review mode and point it at a codebase containing the attacker's hidden instructions, something as ordinary as asking the AI to "scan this library for vulnerabilities." No special hooks, plugins, or custom configuration files are necessary.

Why This Matters for Security Teams

The timing of this discovery is significant because governments and companies are increasingly deploying these AI tools for automated security review and patching. Anthropic's Project Glasswing, Palantir's MA-S2 standard, and OpenAI's Patch the Planet and Daybreak programs are all pushing to use AI agents for defensive security work, some of which touch safety-critical infrastructure. The researchers emphasized that this vulnerability undermines the idea that these AI agents can safely be used for defensive security purposes, since the attack surface is identical to the access required for their intended, legitimate use.

"An AI coding agent has no reliable way to distinguish the text it reads from instructions it is supposed to follow," explained Eljan Mahammadli, head of AI provenance at Polygraf AI. "Everything in its context window is processed with the same authority."

Eljan Mahammadli, Head of AI Provenance at Polygraf AI

Mahammadli noted that this is not something a model update can fix, since it reflects a deeper architectural issue. "The problem is a property of how these systems handle language and not a defect that can be trained away," he said.

Mahammadli

Steps to Reduce Risk When Using AI Coding Tools

  • Avoid Auto-Mode for Untrusted Code: Disable automatic execution in auto-mode or auto-review mode when analyzing third-party open-source repositories. Instead, require manual approval for each command before execution.
  • Implement Runtime Controls: Use stronger runtime controls and separation of capabilities to prevent a single injected instruction from compromising the entire system. Isolate the AI agent's access to sensitive environments.
  • Verify Code Sources: Before analyzing any open-source library, verify that it comes from a trusted source and review its recent commit history for suspicious changes or unusual activity.
  • Monitor Command Execution: Log and monitor all commands executed by AI agents, and set up alerts for unusual or unexpected system calls that deviate from the analysis task.

Mahammadli pushed back on the idea that these findings completely undermine AI's role in defensive security. He argued that the issue is specific to a common but flawed setup: agents that combine access to untrusted data, command execution, and sensitive environments in a single process, with only a safety classifier as a guardrail. "When those powers sit together, a single injected instruction is enough to turn the agent against its operator," he said.

Interestingly, Mahammadli also noted that more advanced models sometimes detected inconsistencies in the exploit but executed it anyway. This challenges the assumption that stronger models are inherently safer. "A more capable and more compliant agent can simply be a more effective executor of whatever instructions it receives," he observed.

While the researchers noted that their report "is not within the scope of the security disclosure policies for either Anthropic or OpenAI," they contacted both companies to inform them of their findings and offered support to verify the issues raised.