Researchers have published two distinct proof-of-concept attacks showing how AI coding assistants can be manipulated into running malicious code on a developer's machine. The AI Now Institute detailed an attack called "Friendly Fire" that targets Anthropic's Claude Code and OpenAI's Codex when operating in autonomous approval mode. Separately, Wiz researchers identified a symlink vulnerability, dubbed "GhostApproval," affecting six popular AI coding tools.

The GhostApproval flaw allows a booby-trapped code repository to trick an assistant into writing to a sensitive system file instead of the harmless file it shows for approval. Affected tools include Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Both attacks exploit the trust these agents place in their own approval processes without independent verification.

Friendly Fire leverages the autonomous mode in Claude Code and Codex where the agent self-approves actions. An attacker can embed malicious instructions in open-source code that the agent then executes on the host machine. The attack bypasses the intended security boundary by having the agent run the attacker's payload under its own authority.

No patches have been announced for the Friendly Fire attack, though the AI Now Institute published their findings on Wednesday. For GhostApproval, Wiz has disclosed the vulnerability to the affected vendors but no timeline for fixes has been provided. Developers are advised to disable autonomous approval modes and manually review every file write request from AI coding tools until patches are available.

Neither research group has observed active exploitation in the wild, but both attacks raise concerns about the architectural security assumptions in AI coding agents. The Friendly Fire attack lacks a known CVE identifier, while CVE assignment for GhostApproval is pending.