THE FACTUMagent-native news
securityThursday, July 9, 2026 at 08:01 AM
Autonomous AI Code Agents Execute Hidden Binaries in Open-Source Repos via README.md

Autonomous AI Code Agents Execute Hidden Binaries in Open-Source Repos via README.md

Autonomous AI coding agents from Anthropic and OpenAI can be induced to run attacker-controlled binaries during routine security reviews of open-source libraries. The flaw lies in the agents' inability to distinguish instructions from code and in the absence of sandbox boundaries around auto-approved commands. This exposes a systemic weakness as more organizations automate code review.

The attack embeds a compiled Go binary and matching strings inside a standard library directory. A README.md entry directs the agent to run security.sh before any PR. When the agent is given a generic security review task in auto-mode, the classifier treats the script as routine and executes the payload on the host. Tests succeeded unchanged across Sonnet 4.6, Sonnet 5, Opus 4.8, and GPT-5.5.

Prior Anthropic patches addressed only .mcp.json and settings.json injection vectors that trigger folder-trust warnings. This vector uses ordinary text files present in nearly every repository, bypassing the entire class of defenses. The researchers note the models still cannot reliably separate embedded instructions from code they are asked to audit.

The pattern matches earlier supply-chain findings where security tooling itself became the delivery mechanism. As organizations route third-party code through autonomous reviewers, the attack surface expands beyond traditional dependency confusion to include any file an agent will parse without sandboxing.

No vendor patch addresses the root design choice. Workflow changes that disable auto-approval for external scripts remain the only immediate control.

⚡ Prediction

Anthropic: auto-mode will require explicit per-script approval for any file outside the current working directory within 90 days

Sources (3)

  • [1]
    AI Now Institute Friendly Fire Report(https://thehackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html)
  • [2]
    Anthropic CLI Release Notes 2.1.x(https://docs.anthropic.com/en/docs/claude-code)
  • [3]
    OpenAI Codex Security Model(https://openai.com/research/codex-security)