Friendly Fire and HalluSquatting: New Attacks Trick AI Coding Agents Into Running Attacker Code and Installing Malware

Friendly Fire and HalluSquatting: New Attacks Trick AI Coding Agents Into Running Attacker Code and Installing Malware

TTP Advisory: Friendly Fire + HalluSquatting | No CVE | Target: AI Coding Assistants (Claude Code, OpenAI Codex) | Attack Type: Autonomous mode hijacking / Hallucination exploitation


Friendly Fire — AI Agents Tricked Into Running Attacker Code During Security Scans

Researchers at the AI Now Institute demonstrated that AI coding agents running in autonomous mode can be tricked into running an attacker’s code when asked to scan untrusted third-party code for security vulnerabilities. The attack, called ‘Friendly Fire’, works against Anthropic’s Claude Code and OpenAI’s Codex when either is running in an autonomous mode that approves its own commands. It hijacks the exact job these tools are sold for: checking untrusted code for problems. Instead of catching the threat, the agent becomes the way in.


HalluSquatting — AI Hallucinated Package Names Weaponised for Botnet Distribution

New research called ‘HalluSquatting’ turns AI hallucination into an attack: attackers work out the fake package names an AI reliably invents, register them first, and wait for the assistant to fetch the trap on a user’s behalf. Anyone whose AI assistant can fetch an outside resource and run commands with little human review is exposed. In tests, that path led the assistant to run attacker-supplied code on the machine. With a popular enough resource, one planted name can reach many machines — the researchers frame it as a botnet assembly technique.


Affected Tools

  • Claude Code (Anthropic) — tested in auto-mode with Claude Sonnet 4.6/5, Opus 4.8
  • OpenAI Codex — tested in auto-review mode with GPT-5.5

Both attacks exploit autonomous/auto-approve modes where the AI approves its own commands without human review.


Exploited?

No confirmed exploitation in the wild. Both were disclosed as proof-of-concept research.


Mitigation

  • Disable autonomous mode: Do not allow AI coding assistants to approve their own commands when working with untrusted code.
  • Package allowlisting: Implement allowlists for package registries in development environments.
  • Review AI-suggested dependencies: Verify any package names AI assistants suggest against official registries before installing.

Recommendations

  • Disable auto-approve for untrusted code: This is the single most effective mitigation for Friendly Fire.
  • Monitor for hallucinated package names: Register internal watchlists for package names that appear in AI-generated dependency suggestions.
  • Audit AI assistant activity: Review logs of commands executed by AI assistants for suspicious package installations or code execution.

References

  • The Hacker News: Friendly Fire research (AI Now Institute)
  • The Hacker News: HalluSquatting research

Part of the Vulnerability Intelligence series on threat-modeling.com. July 9, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!