Researchers from the AI Now Institute have discovered a critical remote code execution (RCE) vulnerability in popular defensive AI agents, such as Anthropic Claude Code and OpenAI Codex. The attack utilizes a "double deception" method, allowing attackers to bypass modern security mechanisms and seize control of the system.


What Happened
Researchers demonstrated the possibility of achieving RCE through a two-layer prompt injection. In the first stage, attackers use fake binary files and scripts to deceive AI security classifiers. In the second stage, malicious instructions hidden in documentation (e.g., in README.md files) force the agent to execute arbitrary code when attempting to analyze third-party libraries. The vulnerability was successfully confirmed on models including Sonnet 4.6, 5, Opus 4.8, and GPT-5.5.
Context
Current approaches to protecting autonomous agents rely on the use of sandboxing and specialized AI classifiers to filter dangerous commands. However, the identified attack proves that these mechanisms are unable to recognize complex, multi-layered injections that mask an attacker's intentions as legitimate code review processes.
Why It Matters for the Industry
For the industry, this means that current security architectures do not provide sufficient isolation for the mass deployment of autonomous agents into critical infrastructure. The problem requires a transition from a simple execution model to a "planner + verifier + isolated executor" structure and the development of new methods for context verification at the logic level, rather than just at the signature level.
Why It Matters for Users
It is highly discouraged for developers to use AI agents in "auto-execute" mode for analyzing third-party repositories or unverified code. Without strict control and a transition to a Human-in-the-loop mode, the agent could become a tool for hacking the user's local system.
Sources
Author
Look at AI, Editorial Staff
