Friendly Fire, the researchers argue, is a proof-of-concept exploit that turns automated code-review and security agents into attack vectors. It does that by hiding malicious instructions inside a library that looks harmless, or in that library’s documentation.
More teams are now using autonomous or semi-autonomous tools to scan open-source packages and third-party code before deployment. What the researchers show is that instructions tucked into an innocent-looking library can be followed rather than flagged, and agents that open files, run commands, generate reports, or reach into local systems and development environments can wind up executing malicious code on your machine.
In their view, this is a design and trust-boundary problem, not just a bug. Current model-driven systems still have trouble telling the difference between legitimate analysis and hostile instructions embedded in the data they inspect, and even with a human in the loop, alert fatigue, misleading output, and the pace of a live incident can still turn the guard into the intruder. If automated security reviews are part of your stack, their report is worth your time.
They also argue that the same automation used for threat detection, fraud monitoring, phishing discovery, penetration testing, and cloud defense can just as easily make phishing, adaptive malware, and partly autonomous attack chains more effective. That raises risks tied to state actors, espionage, misinformation, and escalation, and the full report is available online.
Author: Chema Carvajal Sarabia
{
"de-DE": "Journalist, spezialisiert auf Technologie, Unterhaltung und Videospiele. Über das zu schreiben, was mich begeistert (Gadgets, Spiele und Filme), ermöglicht es mir, bei Verstand zu bleiben und mit einem Lächeln im Gesicht aufzuwachen, wenn der Wecker klingelt. PS: Das stimmt nicht 100% der Zeit.",
"en-US": "Journalist specialized in technology, entertainment and video games. Writing about what I'm passionate about (gadgets, games and movies) allows me to stay sane and wake up with a smile on my face when the alarm clock goes off. PS: this is not true 100% of the time.",
"es-ES": "Content Manager - Periodista especializado en tecnología, entretenimiento y videojuegos. Escribir sobre lo que me apasiona (cacharros, juegos y cine) me permite seguir cuerdo y despertarme con una sonrisa cuando suena el despertador. PD: esto no es cierto el 100 % de las veces.",
"fr-FR": "Journaliste spécialisé dans la technologie, le divertissement et les jeux vidéo. Écrire sur ce qui me passionne (gadgets, jeux et films) me permet de rester sain d'esprit et de me réveiller avec le sourire aux lèvres quand le réveil sonne. PS : cela n'est pas vrai 100 % du temps.",
"it-IT": "Giornalista specializzato in tecnologia, intrattenimento e videogiochi. Scrivere di ciò che mi appassiona (gadget, giochi e film) mi permette di mantenere la sanità mentale e di svegliarmi con un sorriso sul viso quando suona la sveglia. PS: questo non è vero al 100% del tempo.",
"ja-JP": "",
"nl-NL": "",
"pl-PL": "",
"pt-BR": "Jornalista especializado em tecnologia, entretenimento e videogames. Escrever sobre o que me apaixona (gadgets, jogos e filmes) me permite manter a sanidade e acordar com um sorriso no rosto quando o despertador toca. PS: isso não é verdade 100% do tempo.",
"social": {
"email": "chemacs91@gmail.com",
"facebook": "",
"twitter": "https://twitter.com/chematopetazo",
"linkedin": ""
}
}
View all posts by Chema Carvajal Sarabia