A developer laptop running an AI coding agent with auto-run enabled is now one of the least monitored ways an attacker can execute code inside your network. That is the honest read of a single week in early July, when three separate research groups published attacks that all end the same way: the agent runs code it was never handed, using the privileges of the person sitting in front of it. There is no CVE to close and no vendor patch coming, because none of these are bugs in one product. They are the same design gap surfacing three ways.
On July 8, researchers at Tel Aviv University, the Technion, and Intuit disclosed HalluSquatting, a technique that turns an AI model's habit of inventing package names into a delivery channel for botnet malware. A day later, the AI Now Institute published Friendly Fire, showing that agents built to audit untrusted code can be talked into executing it. The same week brought GhostApproval, reported as a set of symlink flaws that let a malicious repository run code inside coding agents. Read together, they describe a new endpoint class, not three isolated advisories.
Hallucination-squatting jumped from domains to code execution
We covered the domain version of this last week: Unit 42 found attackers registering the fake web addresses models reliably invent, so a chatbot's confident answer sends real users to attacker infrastructure. HalluSquatting is the same idea moved up the stack, from a phishing problem to a code-execution one. Ask a coding assistant to pull a well-known tool and it will occasionally answer with a plausible-looking package that was never published. An attacker who learns which fabricated name a given model favors can register it first, on a package registry, a plugin store, or GitHub, and load it with instructions.
What makes it a reliable attack rather than a lucky one is the repeatability. The Tel Aviv team measured up to 85 percent consistency in the fake repository name a model produced across different phrasings, and reported a 100 percent hallucination rate on some skill installs. That is the point most coverage skated past: an attacker registers a hallucinated name once and then collects every developer whose agent invents it, across models from different vendors. A probabilistic quirk becomes a deterministic distribution list. The researchers demonstrated it against nine agents, including Cursor, Gemini CLI, Windsurf, GitHub Copilot, and Cline, and framed the reach as botnet-grade: enough compromised developer machines to run cryptomining, distributed denial of service, or coordinated ransomware across the networks those developers can touch.
Friendly Fire: the auditor becomes the executor
The AI Now Institute study attacks the problem from a different angle and lands in the same place. Researchers Boyan Milanov and Heidy Khlaaf planted directions inside an ordinary README.md in an open-source repository, dressed up an attacker binary to look like build output from a trusted source file, and pointed a code-auditing agent at the project. Told to review it, the agent treated the file's instruction to execute a bundled security.sh helper as part of its assignment and ran the hidden payload. They reproduced this against Claude Code and OpenAI Codex.
Their conclusion is the line every security team should sit with: no future model release closes this, because the model still has no dependable way to tell the code it is examining apart from any commands buried inside that code. That is the shared root cause under all three disclosures. An agent that ingests untrusted content and can also act, fetch, compile, run, has no dependable boundary between data and command. Instruction-versus-data confusion is not new; putting it behind a shell on a developer's machine is.
| Disclosure (early July 2026) | Mechanism | Ends in | CVE / patch |
|---|---|---|---|
| HalluSquatting | Model invents a package name; attacker pre-registers it | Attacker code fetched and run | None |
| Friendly Fire | Malicious README instructions read as a task | Auditing agent runs the payload | None |
| GhostApproval | Symlink handling in a malicious repo | Repo runs code in the agent | None |
This is an endpoint problem, not a vulnerability problem
Security teams are organized to answer "what do we patch." These attacks give no answer, and that is the trap. There is no fixed version to move to, no advisory to track to closed, nothing for a scanner to flag. If your program routes AI-agent risk through vulnerability management, it will show green while the exposure grows, because vulnerability management measures things with CVEs and these have none.
Reframe it as what it is. A developer workstation running an agent that can fetch remote content and execute commands, with approvals turned off, is an endpoint that runs attacker-influenced code with a human's standing privileges and reaches everything that human reaches: source, cloud credentials, internal APIs, production. That is the definition of a high-value host, and it is usually one of the least instrumented machines you own. The relevant controls are the ones you already apply to privileged endpoints, moved onto the coding agent: acceptable-use policy, least privilege, and process telemetry. Our running series on a clean repo that hands over a shell, an old bash trick that revives blocked commands, and an agent coaxed into leaking a private repo is not a list of unrelated bugs. It is the same endpoint class failing over and over.
The telemetry that catches this is process ancestry, not signatures
None of these attacks need a new malicious binary sitting on disk for a scanner to find. HalluSquatting arrives as a package the developer meant to install; Friendly Fire runs a script the agent decided to run. What they cannot hide is the process tree. The coding agent is a known parent process, a Node or Python CLI, and when it spawns a shell, a compiler, a curl or wget, or opens an outbound connection it did not open a minute ago, that ancestry is the anomaly. Build detections on it: the agent's binary spawning an interpreter or network client, package-manager installs that fire outside a human-initiated build, and outbound connections parented by the editor rather than the browser. This is the layer threat hunting and endpoint monitoring already watch on servers; a managed detection layer that reads process ancestry and outbound flows and alerts on the deviation is the same discipline pointed at a machine most teams left out of scope.
Turn off auto-run before you write a single detection
The cheapest control ships in the tools themselves. The single change that defuses most of this is removing the agent's permission to act without a human clicking yes: disable the skip-approval and "yolo" auto-run modes that let an agent fetch and execute in one uninterrupted step. That converts every one of these attacks from silent execution into a prompt a developer has to approve, which is exactly the moment a fake package name or an odd script invocation becomes visible. Pair it with a standing rule the whole team hears: the name an assistant gives you is a prediction, not a verified fact, so confirm a package or repository exists before you let the agent pull it. Then instrument the workstations and hunt the process tree for the days the policy slips. Patching is not on the table here. Configuration and detection are the whole game.