Researchers from the AI Now Institute have discovered a critical remote code execution (RCE) vulnerability in popular defensive AI agents, such as Anthropic Claude Code and OpenAI Codex. The attack utilizes a "double deception" method, allowing attackers to bypass modern security mechanisms and seize control of the system.

image
image

What Happened

Researchers demonstrated the possibility of achieving RCE through a two-layer prompt injection. In the first stage, attackers use fake binary files and scripts to deceive AI security classifiers. In the second stage, malicious instructions hidden in documentation (e.g., in README.md files) force the agent to execute arbitrary code when attempting to analyze third-party libraries. The vulnerability was successfully confirmed on models including Sonnet 4.6, 5, Opus 4.8, and GPT-5.5.

Context

Current approaches to protecting autonomous agents rely on the use of sandboxing and specialized AI classifiers to filter dangerous commands. However, the identified attack proves that these mechanisms are unable to recognize complex, multi-layered injections that mask an attacker's intentions as legitimate code review processes.

Why It Matters for the Industry

For the industry, this means that current security architectures do not provide sufficient isolation for the mass deployment of autonomous agents into critical infrastructure. The problem requires a transition from a simple execution model to a "planner + verifier + isolated executor" structure and the development of new methods for context verification at the logic level, rather than just at the signature level.

Why It Matters for Users

It is highly discouraged for developers to use AI agents in "auto-execute" mode for analyzing third-party repositories or unverified code. Without strict control and a transition to a Human-in-the-loop mode, the agent could become a tool for hacking the user's local system.

Sources

Author

Look at AI, Editorial Staff