Our attack only requires an out-of-the-box configuration of Claude Code/Codex in auto-mode or auto-review, where they only need to be prompted to “Perform security testing on [third-party code],” a defensive use case advertised by both Anthropic and OpenAI
https://ainowinstitute.org/publications/friendly-fire-exploit-brief