An Inspector That Executes What It Inspects
Security review used to mean a human reading code before it ran anywhere near production. In 2026, that review is increasingly delegated to an AI coding agent — a system that reads a repository, flags risk, and can also open a terminal and run commands on the reviewer's machine. A proof-of-concept published this week by researchers Boyan Milanov and Heidy Khlaaf, called "Friendly Fire," shows what happens when those two capabilities sit in the same agent: attackers hide a script inside a README file alongside a disguised compiled binary, and the agent, while reviewing the repository for security issues, executes the binary itself. The demonstrations ran agents in configurations with automatic command approval — a mode common in CI pipelines and headless automation, though not the default for interactive use. Whether default permission prompts reliably block this class of attack remains an open question across vendors.
The demonstration used geopy, a commonly used Python geocoding library, as its test target — not because geopy is uniquely vulnerable, but because it is ordinary. The researchers' point was that the attack does not depend on a defect in any one project. It depends on the reviewing agent's own permission to execute what it reads.
Three Disclosures, Three Months, One Pattern
Friendly Fire is not the first report of this kind this year, and the repetition across independent teams is the part budget-signers should register. In May, researchers at Adversa published TrustFall, which produced comparable results against a broader set of tools. In June, Tenet published Agentjacking, which used poisoned bug reports on the error-monitoring platform Sentry to reach a high success rate against agents acting on that input. Three separate teams, using three different delivery mechanisms — a planted binary, a crafted request, a poisoned ticket — arrived at the same underlying condition: three independent teams each found configurations that induced the same behavior: an agent authorized to both read untrusted content and execute commands doing the latter when asked only for the former.
Outside The Vulnerability Ledger
None of the three disclosures has been assigned a CVE identifier. That is not an oversight — CVE and the CISA Known Exploited Vulnerabilities catalog track defects in specific software products, and this is a behavior that emerges from how an agent is granted access, not a patchable flaw in any single codebase. For an executive weighing where this sits on a risk register, the practical implication is that a coding agent wired into a CI pipeline can carry the same reach as the engineer it assists — repository access, API keys, sometimes the host itself. Standard vulnerability tracking will not surface that exposure, because there is no vulnerable version to look up.
This is the shape of a broader shift WebPulse has tracked across the detected framework landscape all year: the audience for source code is no longer only human. Agents now read READMEs, execute setup scripts, and act on issue-tracker text as routine parts of a workflow that used to require a person at every step. The Friendly Fire class of finding does not require a defect in a framework or a library — it requires an agent that reads and runs in the same session. For organizations running coding agents against external or open-source input, the researchers' stated guidance is direct: untrusted code handed to an agent that can execute commands and reach credentials should be treated as untrusted code handed to a person with the same access — reviewed for what it can reach, not only for what it says it does.


