"An AI coding agent has no reliable way to distinguish the text it reads from instructions it is supposed to follow," Eljan Mahammadli, head of AI provenance at Polygraf AI, said — a blunt summary that frames the finding at the center of a new proof-of-concept exploit.
AI Now Institute proof-of-concept exploit and findings
On July 8, the AI Now Institute published a report by Heidy Khlaaf and Boyan Milanov that demonstrates a proof-of-concept (PoC) enabling remote code execution (RCE) via two widely used AI-powered command-line interfaces (CLIs): Anthropic’s Claude Code and OpenAI’s Codex. The report shows how an attacker can manipulate these agents while they perform a commonplace defensive task — reviewing an open-source codebase for vulnerabilities — and have them run malicious code on the host machine.
The authors reported their findings to both companies and said the report “is not within the scope of the security disclosure policies for either Anthropic or OpenAI,” and offered support to verify the issues raised.
How the prompt-injection chain and payload operate
The exploit is a multi-stage prompt injection combined with tool-use exploitation. Researchers described a simple attacker workflow: embed natural-language instructions inside trusted-looking artifacts in a repository (for example, README.md or code comments) that are interpreted by the agent as part of its task context rather than untrusted input. Those instructions are crafted not to appear overtly malicious but to reframe a particular script as a legitimate part of the project’s security workflow.
When the agent parses the repository it builds a semantic model of the project; the injected text reshapes the agent’s planning process so the assistant concludes that executing a script (for example, security.sh) is necessary to complete the requested vulnerability analysis. In agents running in “auto-mode” or “auto-review” — modes that automatically execute commands judged low-risk without human approval — this misclassification is decisive.
- The second-stage payload the researchers describe contains a shell script (security.sh) that appears to run common tools (linters or static analyzers).
- security.sh launches a hidden malicious binary named code_policies.
- A decoy source file (code_policies.go) makes the binary appear benign and consistent with expected build artifacts.
Because the agent’s internal classifier and heuristics see familiar tooling and documentation framing, it can decide the action is safe, execute the script via its tool interface, indirectly launch the malicious binary, and thereby trigger arbitrary code execution on the host — all while the user believes the agent is passively scanning the codebase.
Affected tools, tested versions, and environment
The report states the exploit affects Claude Code when used with Claude Sonnet 4.6 and 5, as well as Opus 4.8 and Codex when used with GPT-5.5. The researchers tested the attack on Linux systems and specific client versions: Claude Code versions 2.1.116, 2.1.196, 2.1.198, and 2.1.199, and Codex version 0.142.4. Crucially, the PoC requires no special hooks, plugins, model context protocol (MCP) servers or custom configuration files — it works with a completely out-of-the-box install of either tool, so long as the assistant is run in standard automated review modes and pointed at a repository containing the injected instructions.
Why researchers and experts call this an architectural risk
The authors argue the core problem is architectural: granting an agent autonomy to decide what to execute creates a new trust boundary attackers can target by convincing the AI rather than the human. Eljan Mahammadli framed the weakness as a provenance and attribution failure: “The problem is a property of how these systems handle language and not a defect that can be trained away,” he said. Because everything in the context window is processed with the same authority, malicious instructions embedded in otherwise trusted artifacts are treated as equally trustworthy.
Mahammadli warned that stronger models do not necessarily solve the problem: “A more capable and more compliant agent can simply be a more effective executor of whatever instruction reaches it.” He argued the issue is specific to setups that combine access to untrusted data, command execution and sensitive environments in a single process with only a safety classifier as a guardrail, and that stronger runtime controls and separation of capabilities are key to preventing a single injected instruction from turning the agent against its operator.
The report additionally notes the technique could likely transfer to other agentic AI coding platforms because the core issue is architectural rather than specific to one vendor’s model.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: The findings undercut the assumption that agentic tools can be safely used for defensive security work when those agents have both read access to untrusted repositories and the ability to execute commands without human approval. Teams should assess configurations that enable auto-mode or auto-review execution and consider runtime separation of privileges.
- Policymakers and regulators: The report highlights an architectural risk tied to agent autonomy that reaches beyond any single vendor, and it calls attention to programs and standards that push automated patching and review — including Anthropic’s Project Glasswing, Palantir’s MA-S2 standard, and OpenAI’s Patch the Planet and Daybreak — some of which touch safety-critical infrastructure.
- Affected enterprises and procurement leaders: Because the PoC works out-of-the-box, organizations planning to deploy agentic review or automated patching should treat the same access that enables automation as an attack surface and require controls that separate analysis from execution or require human-in-the-loop confirmations for command execution.
The AI Now report and expert commentary converge on a pointed observation: handing agents the authority to judge and act on arbitrary text creates a trust boundary that can be exploited, and deployment into critical systems is moving faster than solutions to that core trust problem. The researchers contacted Anthropic and OpenAI and offered to help validate the vulnerability; whether and how vendors or operators will re-architect these agent workflows remains the next concrete test.
https://www.infosecurity-magazine.com/news/anthropic-openai-report-exploit/




