AI Security Tools Weaponized for Cyber-Attacks, Researchers Warn
Researchers demonstrate how AI assistants from Anthropic and OpenAI, designed for cybersecurity tasks, can be exploited for remote code execution.

Researchers at the AI Now Institute have developed a proof-of-concept exploit that demonstrates the alarming potential for AI tools commonly used in cybersecurity to be weaponized for malicious purposes. The exploit targets popular AI-powered command-line interfaces (CLIs) from Anthropic and OpenAI, revealing how defensive tools could be turned into offensive vectors.
The core of the exploit lies in a sophisticated prompt injection chain combined with tool-use exploitation. Attackers can embed malicious instructions within the files of an open-source codebase, disguised as legitimate comments or documentation. When a user employs AI assistants like Anthropic's Claude Code or OpenAI's Codex in their automated review or analysis modes, these hidden instructions can trick the AI into executing arbitrary code on the user's machine.
These AI tools often feature an "auto-mode" or "auto-review" function, which automatically executes commands deemed safe without requiring human approval. The exploit leverages this by crafting malicious commands that fool the AI's internal classifiers and heuristics into classifying them as harmless or routine. This allows the AI assistant to autonomously execute attacker-controlled scripts and binaries, leading to remote code execution (RCE) on the victim's system.
The attack requires minimal prerequisites, working with out-of-the-box installations of the targeted AI tools. The victim simply needs to direct the AI assistant to scan a codebase containing the attacker's hidden malicious payload. The AI, in its effort to perform vulnerability analysis or other security tasks, inadvertently runs the embedded malicious script, which in turn launches a hidden malicious binary.
Specifically, the exploit affects Claude Code when used with Claude Sonnet 4.6 and 5, and Codex when used with GPT-5.5. The researchers successfully tested this on Linux systems using specific versions of Claude Code (2.1.116, 2.1.196, 2.1.198, and 2.1.199) and Codex (0.142.4).
This finding is particularly concerning given the increasing adoption of AI agents for automated security reviews and patching by governments and corporations. Initiatives like Anthropic's Project Glasswing and OpenAI's Patch the Planet program aim to leverage AI for enhanced security, but this exploit highlights a critical vulnerability in the trust boundary between AI agents and the systems they interact with.
The researchers argue that the core issue is architectural: granting AI agents the autonomy to decide what is safe to execute creates a new attack surface. This technique could potentially be transferable to other agentic AI coding platforms, as the fundamental problem is convincing the AI, rather than the human user, that malicious code is safe to run.
While the report was not within the scope of the security disclosure policies for either Anthropic or OpenAI, the findings underscore the urgent need for robust security measures and a deeper understanding of the dual-use potential of AI technologies in the cybersecurity landscape.