Defensive AI Coding Agents Hijacked via Prompt Injection for RCE
A PoC exploit shows how prompt injections in third-party code hijack Claude Code and Codex CLI to achieve remote code execution during defensive review.
Security researchers have published a proof-of-concept exploit targeting Anthropic's Claude Code CLI (Sonnet 4.6/5, Opus 4.8) and OpenAI's Codex CLI (GPT-5.5) when these tools are used defensively to review the security of an open-source or third-party library. The attack works out of the box, requiring only the default 'auto-mode' or 'auto-review' configuration, and needs no hooks, skills, plugins, MCP servers, or custom config files as an injection vector. Instead, prompt injections embedded directly in a library's source files are enough to achieve remote code execution, meaning the attack demands nothing beyond the access already required for defensive AI use and is likely portable to other agentic AI platforms. The authors argue this undercuts recent government and industry pushes to accelerate defensive AI deployment in critical infrastructure, since such initiatives largely ignore that AI-powered defense tools themselves introduce serious new attack surfaces. The findings highlight the brittleness of frontier models and the inadequacy of current safeguards, underscoring the need for strict sandboxing, input validation, and least-privilege practices when running AI agents against untrusted third-party codebases.