AI News HubLIVE
In-site rewrite6 min read

Hijacking Defensive Cyber AI Agents for Remote Code Execution

Researchers demonstrate a proof-of-concept exploit that achieves remote code execution via prompt injections in Anthropic's Claude Code and OpenAI's Codex CLI when used for defensive vulnerability assessment of third-party libraries, warning that rushing AI defensive tools may introduce new risks.

SourceHacker News AIAuthor: Cynddl

Exploit Brief

We are revealing a proof-of-concept exploit that enables remote code execution in Anthropic’s Claude Code CLI (with Claude Sonnet 4.6 & 5, Opus 4.8) and OpenAI’s Codex CLI (with GPT-5.5) when employed to defensively assess the security of an open-source or third-party library. Our attack only requires an out-of-the-box configuration of Claude Code in “auto-mode” or Codex in “auto-review” and leverages prompt injections disseminated across a library’s source code that target AI-enabled cyber defense without the need for hooks, skills, plugins, MCP servers, or configuration files as an injection vector. As such, we warn against the recent initiatives)Promoting Advanced Artificial Intelligence Innovation and Security(),” executive order, June 2, 2026." class="footnote" id="footnote-1" href="#footnote-list-1">1 White House, “()Promoting Advanced Artificial Intelligence Innovation and Security(),” executive order, June 2, 2026. )Project Glasswing: An Initial Update(),” press release, May 22, 2026. " class="footnote" id="footnote-2" href="#footnote-list-2">2Anthropic, “()Project Glasswing: An Initial Update(),” press release, May 22, 2026. )MA-S2(), May 2026. " class="footnote" id="footnote-3" href="#footnote-list-3">3 See Palantir’s proposed software security standard, ()MA-S2(), May 2026. that mandate the acceleration of AI-enabled defensive tools without consideration of the substantial and unmitigated risks associated with the deployment of defensive AI, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment.

Video: Demonstration of our PoC exploit compromising Claude Code.

  1. Introduction and Motivation

Whether the advent of a new technology advantages either offense or defense within cybersecurity has been a long-standing debate. Not surprisingly, the discourse on whether and how “frontier” AI-powered cyber capabilities bolster offensive or defensive capacity has similarly played out with even greater urgency. Dubious claims touted by AI firms regarding AI’s offensive capabilities and the potential for adversaries to wield such AI uses against the US and its allies have exacerbated existing state perceptions that technology favors the offense.)Why AI Companies Want You to Be Afraid of Them(),” BBC, April 29, 2026." class="footnote" id="footnote-4" href="#footnote-list-4">4Thomas Germain, “()Why AI Companies Want You to Be Afraid of Them(),” BBC, April 29, 2026. By leveraging these constructed concerns, AI firms have positioned the deployment of AI-enabled models for cyber defense as an imperative antidote to offset the purported AI-enabled offensive gains amid an AI-arms race.5Anthropic, “Project Glasswing: An Initial Update.”

Despite a slew of initiatives seeking to advance the deployment of frontier AI defensive cyber capabilities within the US’s safety-critical and national-security infrastructure,6White House, “Promoting Advanced Artificial Intelligence Innovation and Security.” 7Anthropic, “Project Glasswing: An Initial Update.” 8Palantir, MA-S2. justifications for these efforts have neglected to address the substantial risks associated with the deployment of defensive AI against the actualized cost and advantages of offensive AI. Frontier AI models exhibit unique technical shortcomings that challenge the assumption that the dual-use nature of AI cyber models enabling defensive capabilities would balance the purported advantage AI afforded to offense.)()Tipping the Scales: Emerging AI Capabilities and the Cyber Offense-Defense Balance()(), Center for a New American Security, September 23, 2025." class="footnote" id="footnote-9" href="#footnote-list-9">9Caleb Withers, ()()Tipping the Scales: Emerging AI Capabilities and the Cyber Offense-Defense Balance()(), Center for a New American Security, September 23, 2025. Specifically, the use of frontier AI for defensive purposes paradoxically introduces novel and unique vectors for attack that would compromise the system in which it is deployed, especially in the context of safety-critical infrastructure—where AI is most urgently being considered for deployment.10White House, “Promoting Advanced Artificial Intelligence Innovation and Security.”

We realize and illustrate these very risks by constructing a proof-of-concept (PoC) exploit targeting Claude Code command-line interface (CLI) and Codex CLI deployed as vulnerability discovery agents using Sonnet 4.6, Sonnet 5, or Opus 4.8 and GPT-5.5 as underlying models, respectively. We identify pathways that allow an attacker to achieve unauthorized code execution by leveraging prompt injection attacks targeted at defensive frontier AI use. Specifically, we construct an exploit that only requires a user to employ the AI to assess the code of an open-source third-party library—a commonly advertised use case for such models)Patch the Planet: a Daybreak Initiative to Support Open Source Maintainers(),” June 22, 2026." class="footnote" id="footnote-11" href="#footnote-list-11">11OpenAI, “()Patch the Planet: a Daybreak Initiative to Support Open Source Maintainers(),” June 22, 2026.—that enables an attacker to achieve remote code execution (RCE) via prompt injections disseminated across the library’s files. We demonstrate that these attacks necessitate the same access minimally needed to leverage the use of AI agents toward defensive security purposes, while also likely being transferable to other agentic AI platforms. Ultimately, our PoC raises the question of whether the new attack vectors inherently introduced by AI may defeat, if not worsen, any defensive advantages that were sought to combat the alleged or yet-to-be-substantiated advantages of AI-driven offense.

In the following sections, we provide a detailed description of the attack sequence. In Section 2.1 we provide an overview, threat model, and configuration under which our attack succeeds. In Section 2.2, we explain in detail how our prompt injections were constructed and then deployed to facilitate the RCE. Finally, we discuss how our PoC exploit demonstrates the brittle nature of frontier AI models, and how their inherent lack of security and inadequate safeguards can lead to unmitigable pathways to arbitrary code execution. We recommend stringent organizational and user mitigations that are necessary to combat the wide array of potential attack vectors within source code, as signified by our PoC exploit.

  1. Exploiting Claude Code and Codex via Third-Party Codebases

Claude Code is Anthropic’s flagship agentic coding tool that has garnered significant adoption, including use by nearly half of agentic AI users for complex coding tasks.)AI Tooling for Software Engineers in 2026(),” ()The Pragmatic Engineer(), March 3, 2026." class="footnote" id="footnote-12" href="#footnote-list-12">12Gergely Orosz and Elin Nilsson, “()AI Tooling for Software Engineers in 2026(),” ()The Pragmatic Engineer(), March 3, 2026. Anthropic has recently proposed that Claude Code and its derivatives, for example, Claude Code Security, can be utilized for cyberdefense where teams scan their codebases and open-source libraries “for vulnerabilities, and […] generate proposed fixes for them,” as a response to the purported vulnerabilities and exploits that could be revealed by Anthropic’s new model, Mythos.13Anthropic, “Project Glasswing: An Initial Update.” That is, Anthropic seeks to position AI-driven patching as an antidote to the purported offensive threats introduced by these very models. Similarly, OpenAI positions Codex, its AI agent for software engineering tasks, as vital for equipping security researchers with their “ frontier models […] to support the analysis, patch development, testing, and documentation” of open-source libraries.14OpenAI, “Patch the Planet.”

Yet, the access required to employ AI agents toward vulnerability discovery or patching automation can render the AI agents themselves as a potential attack vector through which a host machine can be compromised. One such risk vector is the use of Claude Code or Codex to defensively analyze an untrusted open-source or third-party library, an often-advertised use case of these models.)Daybreak: Tools for Securing Every Organization in the World(),” June 22, 2026." class="footnote" id="footnote-15" href="#footnote-list-15">15 OpenAI, “()Daybreak: Tools for Securing Every Organization in the World(),” June 22, 2026. 16Anthropic, “Project Glasswing: An Initial Update.” We demonstrate how through deploying Claude Code (CLI version 2.1.116, 2.1.196, 2.1.198, and 2.1.199) or Codex (CLI version 0.142.4) to merely review an untrusted source code, an attacker can achieve RCE on the machine hosting either agent via prompt injections disseminated across the library’s documentation files.

2.1 Attack Overview and Threat Model

Our PoC only requires an out-of-the-box configuration for Claude Code or Codex. In our deployment, Claude Code or Codex are installed on a Linux system or container and are run as is without additional hooks, skills, plugins, Model Context Protocol (MCP) servers, or any other custom configuration files. For Claude Code, we select a common setup with an underlying Claude Sonnet 4.6, Claude Sonnet 5 model, or Claude Opus 4.8 (high-effort) model in the “auto-mode” configuration that is underpinned by an AI classifier that allows Claude Code to automatically execute arbitrary commands in its deployment environment if they are deemed safe, while only asking for manual confirmation for commands it deems sensitive or insecure.)How We Built Claude Code Auto Mode: A Safer Way to Skip Permissions(),” March 25, 2026." class="footnote" id="footnote-17" href="#footnote-list-17">17 Anthropic, “()How We Built Claude Code Auto Mode: A Safer Way to Skip Permissions(),” March 25, 2026. For Codex, we select an equivalent setup utilizing the GPT-5.5 model with an “auto-review” configuration that also uses a classifier to “evaluate approval requests that would otherwise pause for a human” such as “shell or exec tool calls that request escalated sandbox permissions.”)OpenAI for Developers: Docs and Resources to Help You Build with, for, and on OpenAI(),” OpenAI, accessed July 2, 2026." class="footnote" id="footnote-18" href="#footnote-list-18">18See “()OpenAI for Developers: Docs and Resources to Help You Build with, for, and on OpenAI(),” OpenAI, accessed July 2, 2026. Indeed, “auto-mode” and “auto-review” are in fact respectively advertised as safer alternatives to Claude Code’s and Codex’s fully unrestricted modes that delegate command approval to AI in order to retain a high level of autonomy needed for tasks such as software vulnerability research. These configurations are intended to “improve the default operating point for long-running agentic work”,)Auto-review(),” OpenAI, accessed July 2, 2026." class="footnote" id="footnote-19" href="#footnote-list-19">19“()Auto-review(),” OpenAI, accessed July 2, 2026. as the more conservative settings “mean you can’t kick off a large task and walk away, since Claude will request frequent human approvals along the way.”)Auto Mode for Claude Code(),” Claude (blog), March 24, 2026." class="footnote" id="footnote-20" href="#footnote-list-20">20“()Auto Mode for Claude Code(),” Claude (blog), March 24, 2026.

We then provision the machine hosting Claude Code or Codex with a local copy of a third-party, untrusted codebase. We utilize a copy of the open-source geopy Python library, a client for geocoding web services, to which we add seemingly innocuous files with prompt injections that reference standard security tooling, along with an obfuscated malicious binary that is not called or executed by the source code (which we describe in further detail in 2.2). Note that our attack has the potential to be ported to any other open-source or third-party library, and the use of geopy in this research is only for demonstrative purposes. Finally,

[truncated for AI cost control]