Security Researchers Expose Remote Code Execution Vulnerabilities in Anthropic's Claude Code and OpenAI's Codex
Key Takeaways
- ▸Researchers disclosed a prompt injection vulnerability affecting Anthropic's Claude Code and OpenAI's Codex that enables remote code execution through embedded malicious prompts in source code
- ▸The attack exploits the 'auto-mode' defensive configuration of these AI agents without requiring special plugins, MCP servers, or modified configurations
- ▸The research challenges the assumption that AI-enabled defense can effectively counter AI-enabled offense, revealing a paradox where defensive deployment introduces novel vulnerabilities
Summary
Security researchers have published a proof-of-concept exploit demonstrating remote code execution vulnerabilities in Anthropic's Claude Code CLI and OpenAI's Codex CLI when these tools are used in their default defensive configurations. The attack leverages prompt injections embedded within source code to hijack AI agents that evaluate code for security vulnerabilities. The vulnerability affects Claude Sonnet 4.6, Claude Sonnet 5, and Claude Opus 4.8 on Anthropic's platform, as well as OpenAI's implementation with GPT-5.5, and requires only out-of-the-box configurations to succeed.
The attack works by hiding malicious prompts within library source code comments and strings, which the defensive AI agents then execute when analyzing the code in "auto-mode" or "auto-review" features. Unlike traditional exploitation methods, this vector doesn't require hooks, skills, MCP servers, or special plugins—it exploits the fundamental mechanism by which these AI agents interpret and respond to code. Researchers demonstrated their proof-of-concept through a video showing how Claude Code could be compromised.
Beyond the immediate technical vulnerability, the research challenges the broader policy narrative promoting AI-enabled cyber defense as an antidote to AI-enabled offense. The researchers argue that White House initiatives like "Promoting Advanced Artificial Intelligence Innovation and Security" and Anthropic's Project Glasswing are advancing defensive AI deployment without adequately addressing the novel security risks these systems introduce. The work suggests that frontier AI models have unique technical shortcomings that make them potentially more vulnerable to exploitation when deployed defensively than beneficial for detection.
- The findings directly critique government and industry initiatives advocating for rapid AI-enabled cyber defense in safety-critical infrastructure without sufficient risk assessment
Editorial Opinion
This research fundamentally challenges the narrative that AI can safely defend against sophisticated threats, revealing instead that deploying frontier AI models in defensive roles may introduce vulnerabilities exceeding the benefits they provide. The timing is particularly significant: as governments and enterprises accelerate AI-enabled security initiatives, this proof-of-concept demonstrates the critical need to prioritize AI safety and robustness before deployment in security-critical infrastructure. The research suggests that current policy frameworks are outpacing technical readiness, and that uncritical enthusiasm for AI-enabled defense could undermine rather than strengthen cybersecurity postures.



