
Ask an AI coding agent to review an open-source library for security flaws, and it might just run the malware hiding inside it instead.
That's the uncomfortable finding behind a new proof-of-concept exploit from researchers Boyan Milanov and Heidy Khlaaf of the AI Now Institute, who show that Anthropic's Claude Code CLI (running Sonnet 4.6, Sonnet 5, or Opus 4.8) and OpenAI's Codex CLI (running GPT-5.5) can be tricked into achieving remote code execution (RCE) — running attacker-controlled code on the host machine — simply by pointing either tool at a booby-trapped codebase and asking it to check for vulnerabilities.
The attack needs nothing exotic. No malicious MCP (Model Context Protocol) server, no rogue plugin, no tampered configuration file that would trip Claude Code's "trust this folder" warning. Just a doctored README and a couple of extra files planted inside an otherwise ordinary open-source project — in this case, a modified copy of geopy, a popular Python geocoding library.
Buried in the README is a short, friendly note urging developers to run a security.sh script before opening a pull request. The script quietly launches a binary named code_policies. To prevent the agent from flagging the binary as suspicious, the researchers also planted a matching Go source file designed solely to make the binary appear to be legitimate, inspectable code.
![]() |
| Attack flows from a supply-chain compromise of a third-party code repository to RCE on the agent infrastructure |
When Claude Code or Codex reviews the project under its default "auto-mode" or "auto-review" setting — which lets the AI run commands it judges safe without asking a human first — it reads the documentation, concludes the script is a normal part of the security workflow, and executes it, triggering the payload.
The exploit transferred across every model tested without any changes, and the researchers say it also works when the same instructions are hidden in CLAUDE.md or agent.md files, which agents treat with extra trust as part of the project context.
Neither Anthropic's nor OpenAI's disclosure program formally covers this class of bug, though both companies were notified. The researchers' recommendation is stark: don't point AI agents with code-execution access at untrusted data at all — sandboxing, they argue, hasn't proven strong enough to contain what follows once RCE is achieved.
The finding lands as both companies push AI agents as tools for scanning and patching vulnerable code, a use case this research suggests could just as easily hand attackers a way in.
