A proof-of-concept exploit demonstrates remote code execution in Anthropic’s Claude Code and OpenAI’s Codex when used with specific AI models. Attackers can inject malicious instructions into open-source codebases, tricking the AI into executing arbitrary commands during automated analysis tasks. The exploit leverages multi-stage prompt injection and tool-use exploitation to bypass safety checks in auto-mode or auto-review mode.