An attacker hides three lines in a library's README, telling an agent to run a "security check" before opening a pull request. Point Claude Code or OpenAI's Codex at that repo and ask for a security review, and in autonomous mode, both agents read the note, decide the script belongs there, and run it. AI Now Institute's proof-of-concept, Friendly Fire, hijacks a key job these agents are sold to do: catch malicious code before it executes.
This isn't a Claude bug or a Codex bug. Researchers wrote the payload once, for Sonnet 4.6, and it worked unchanged on Sonnet 5, Opus 4.8, and GPT-5.5. Four models, two companies, zero modifications. When an attack transfers cleanly across vendors with nothing changed, you're not looking at an implementation flaw. You're looking at how these models work: none of them can reliably tell the code they're reading from the instructions they're supposed to follow.
Nothing about this is new, either. Microsoft's poisoned MCP tool descriptions worked the same way in June. Agentjacking hid its payload in a fake Sentry bug report and hit an 85 percent success rate. Different channel, same failure: an agent treats whatever lands in its context as a legitimate instruction, whether it came from the person operating it or a stranger's README.
The fix isn't a smarter classifier for suspicious-looking documentation. A malicious instruction and a legitimate one read exactly the same, so no amount of pattern-matching solves this from inside the model's own reasoning. The fix is refusing to let that reasoning be the thing that grants execution. An agent deciding a script "looks like part of the job" should never be enough authority to run it. Something outside the agent, something the README can't talk to, has to sign off first.
Agents on NuDay's platform are never granted execution based on their own in-context judgment. Every tool call, including running a script or binary, gets brokered against a signed tool registry with a short-lived (ephemeral) credential scoped to that one action. A convincing sentence in a README can't forge a (cryptographically signed digital) signature it was never issued. See how it works or request a demo.
Sources: The Hacker News, "Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It" · AI Now Institute, "Friendly Fire" exploit brief