Jessica Entwistle
July 9 2026
The Hacker News reports that researchers have identified vulnerabilities in popular AI coding agents, including Anthropic's Claude Code and OpenAI's Codex, that allow attackers to trick the tools into executing malicious code. The attack, demonstrated in a proof-of-concept called "Friendly Fire", works by embedding instructions within open-source code repositories that the AI agent is asked to scan for security vulnerabilities. Instead of simply analysing the code, the agent follows the embedded instructions and executes the attacker's code on the user's machine. A separate vulnerability, dubbed "GhostApproval" and identified by researchers at Wiz, affects six AI coding assistants including Amazon Q Developer, Cursor, and Google Antigravity. This flaw exploits symbolic links to trick the agent into writing to sensitive system files when the user believes they are approving edits to a harmless file.
These vulnerabilities highlight a significant security gap in how AI coding agents are being integrated into development workflows. Many organisations are beginning to adopt these tools to accelerate code review, automate security scanning, and assist with development tasks. However, the research shows that the autonomous nature of these agents, particularly when they are granted permission to execute code or modify files without granular human oversight, creates new attack vectors. The issue is not just technical; it reflects a broader challenge around trust boundaries, permission models, and the operational assumptions built into AI-assisted development tools. For organisations using or evaluating AI coding agents, this is a reminder that these tools are not simply productivity enhancers—they are active participants in your development environment with the potential to introduce risk if not properly constrained. The vulnerabilities also underscore the importance of treating AI agents as untrusted components that require the same level of security scrutiny as any other third-party software integrated into sensitive workflows.
Organisations using AI coding agents should review how these tools are deployed, what permissions they are granted, and how their actions are monitored and logged. It is worth ensuring that AI agents are not running in autonomous modes that allow them to execute code or modify files without explicit human approval for each action, and that development environments are segmented to limit the potential impact of a compromised agent. Organisations should also check vendor security advisories and ensure that any mitigations or patches released by tool providers are applied promptly. For teams evaluating AI coding agents, this is a prompt to include security and permission models as part of the assessment criteria, and to ensure that procurement and deployment decisions account for the operational risks associated with granting AI tools access to code repositories, build systems and production environments. It is also worth reviewing how your organisation's secure development practices, including code review, access controls and change management, apply to AI-assisted workflows.
Source: The Hacker News