# New ‘Friendly Fire’ Hack Turns AI Code Reviewers Into Attack Vectors

*Thursday, July 9, 2026 at 6:21 AM UTC — Hamer Intelligence Services Desk*

**Published**: 2026-07-09T06:21:44.800Z (2h ago)
**Category**: cyber | **Region**: Global
**Importance**: 7/10
**Sources**: OSINT
**Permalink**: https://hamerintel.com/data/articles/10491.md
**Source**: https://hamerintel.com/summaries

---

**Deck**: Researchers have shown that AI coding agents built to catch malicious software can be tricked into running it, by hiding attack instructions inside README files. The "Friendly Fire" technique turns tools like automated code reviewers into potential launchpads for intrusions on developer machines and corporate networks.

AI agents designed to spot dangerous code can themselves be hijacked into executing it, according to new research that exposes a fresh attack surface at the intersection of cybersecurity and automated software development.

The technique, dubbed "Friendly Fire," targets AI-powered coding assistants and review tools that automatically analyze repositories for bugs and vulnerabilities. By embedding malicious instructions in a project’s README or other documentation, attackers can cause an AI agent to execute arbitrary commands on the developer’s machine during an otherwise routine code review, a report by cybersecurity researchers published on 9 July warns.

The attack works because many AI code agents are built to follow natural-language instructions in addition to parsing source files. When a developer asks the tool to audit a repository, the agent may not only read the code but also "helpfully" carry out steps described in the documentation – such as running setup scripts or diagnostic commands. If those steps are crafted by an attacker, the AI can end up doing the intruder’s work, all while the human user thinks it is simply scanning for problems.

In practical terms, this puts software engineers and the organizations they work for directly in the blast radius of a new class of supply-chain attacks. A poisoned README in an open-source package, or in internal code shared across teams, could give an attacker a foothold inside corporate networks, bypassing traditional filters that focus on binaries and known malware signatures. The risk is especially acute for companies that have integrated AI agents deeply into their development pipelines, granting them broad access rights in the name of efficiency.

The researchers behind the Friendly Fire finding link the campaign to a broader trend of wrapping malicious infrastructure in seemingly legitimate services. In a separate but related operation tracked by security firm Infoblox, more than 230 domains were tied to fake proxy brands and trojanized software download sites, including bogus installers for tools like 7-Zip that turn victim devices into nodes in residential proxy networks. The common theme is that attackers are betting on trust in familiar tools – compression utilities, code reviewers, productivity scripts – and in many cases, on the opacity of AI decision-making.

For defenders, the implications extend beyond patching a single bug. AI code agents are increasingly being positioned as guardians against insecure practices, checking for SQL injections, hardcoded credentials or outdated libraries. If those guardians can be co-opted through something as simple as a README file, then the security model around automated development assistance needs a fundamental rethink. It is no longer safe to assume that an AI will only "read" when it is perfectly capable of acting.

The shareable takeaway is unsettling in its simplicity: in the age of AI-assisted coding, the most dangerous line in your repository might not be in the source code at all, but in the documentation that tells your tools what to do. As organizations rush to embed generative models into their workflows, governance over what those systems can execute – and under what constraints – becomes as critical as the models’ accuracy.

Key signals to watch will include whether major AI platform providers impose stricter default limits on code execution by their agents, how quickly development teams adopt sandboxing and least-privilege practices for automated tools, and whether regulators and industry bodies start treating AI agents in the software supply chain as potential points of systemic cybersecurity risk. The next generation of attacks may not target humans directly, but the AI helpers that increasingly stand between them and their code.
