TTP Advisory: Friendly Fire + HalluSquatting | No CVE | Target: AI Coding Assistants (Claude Code, OpenAI Codex) | Attack Type: Autonomous mode hijacking / Hallucination exploitation
Friendly Fire — AI Agents Tricked Into Running Attacker Code During Security Scans
Researchers at the AI Now Institute demonstrated that AI coding agents running in autonomous mode can be tricked into running an attacker’s code when asked to scan untrusted third-party code for security vulnerabilities. The attack, called ‘Friendly Fire’, works against Anthropic’s Claude Code and OpenAI’s Codex when either is running in an autonomous mode that approves its own commands. It hijacks the exact job these tools are sold for: checking untrusted code for problems. Instead of catching the threat, the agent becomes the way in.
HalluSquatting — AI Hallucinated Package Names Weaponised for Botnet Distribution
New research called ‘HalluSquatting’ turns AI hallucination into an attack: attackers work out the fake package names an AI reliably invents, register them first, and wait for the assistant to fetch the trap on a user’s behalf. Anyone whose AI assistant can fetch an outside resource and run commands with little human review is exposed. In tests, that path led the assistant to run attacker-supplied code on the machine. With a popular enough resource, one planted name can reach many machines — the researchers frame it as a botnet assembly technique.
Affected Tools
- Claude Code (Anthropic) — tested in auto-mode with Claude Sonnet 4.6/5, Opus 4.8
- OpenAI Codex — tested in auto-review mode with GPT-5.5
Both attacks exploit autonomous/auto-approve modes where the AI approves its own commands without human review.
Exploited?
No confirmed exploitation in the wild. Both were disclosed as proof-of-concept research.
Mitigation
- Disable autonomous mode: Do not allow AI coding assistants to approve their own commands when working with untrusted code.
- Package allowlisting: Implement allowlists for package registries in development environments.
- Review AI-suggested dependencies: Verify any package names AI assistants suggest against official registries before installing.
Recommendations
- Disable auto-approve for untrusted code: This is the single most effective mitigation for Friendly Fire.
- Monitor for hallucinated package names: Register internal watchlists for package names that appear in AI-generated dependency suggestions.
- Audit AI assistant activity: Review logs of commands executed by AI assistants for suspicious package installations or code execution.
References
- The Hacker News: Friendly Fire research (AI Now Institute)
- The Hacker News: HalluSquatting research
Part of the Vulnerability Intelligence series on threat-modeling.com. July 9, 2026 Report.
