On March 30, BeyondTrust demonstrated that a specially crafted GitHub branch name could steal Codex’s OAuth token in plaintext. OpenAI classified this as Critical P1. Shortly after, Anthropic’s Claude Code source code was leaked to the public npm registry, and Adversa discovered that Claude Code was ignoring its own deny rules when a command exceeded 50 subcommands. These were part of a series of exploits against Codex, Claude Code, Copilot, and Vertex AI that spanned nine months, all following a similar pattern. An AI coding agent would hold a credential, perform an action, and authenticate to a production system without human supervision.
This vulnerability was initially demonstrated at Black Hat USA 2025, where Zenity CTO Michael Bargury hijacked several platforms with no user interaction. Nine months later, attackers exploited these credentials.
Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, highlighted this flaw in an exclusive interview with VentureBeat. “Enterprises think they have ‘approved’ AI vendors, but in reality, they have only approved an interface, not the underlying system. The breach lies in the credentials beneath the interface.”
Codex Vulnerability: GitHub Token Theft via Branch Name
BeyondTrust researchers Tyler Jespersen, Fletcher Davis, and Simon Stewart discovered that Codex was cloning repositories using a GitHub OAuth token embedded in the git remote URL. During the cloning process, an unsanitized branch name parameter in the setup script allowed for command injection. By appending Ideographic Space characters after “main,” the malicious branch appeared identical to the standard main branch in the Codex web portal. OpenAI addressed this Critical P1 vulnerability by February 5, 2026.
Claude Code Vulnerabilities: CVEs and Deny Rule Bypass
CVE-2026-25723 exposed Claude Code’s file-write restrictions to exploitation. Additionally, a vulnerability (CVE-2026-33068) allowed malicious repositories to bypass trust dialog prompts. Adversa also discovered that Claude Code stopped enforcing deny rules once a command exceeded 50 subcommands. These vulnerabilities were patched in subsequent updates.
Copilot Vulnerabilities: Remote Code Execution and GitHub Issue Exploitation
Johann Rehberger and Markus Vervier discovered a vulnerability (CVE-2025-53773) in GitHub Copilot that enabled remote code execution. Orca Security further exploited Copilot within GitHub Codespaces, allowing for full repository takeover through a crafted GitHub issue. Microsoft patched these vulnerabilities in subsequent releases.
Vertex AI Vulnerability: Excessive Default Scopes
Unit 42 researcher Ofir Shaty found that default Google service identities in Vertex AI had excessive permissions, leading to unauthorized access to sensitive data. Shaty described the compromised credentials as functioning like a “double agent,” with access to user data and Google’s infrastructure.
Security Recommendations and Governance
To address these vulnerabilities, security directors are advised to inventory AI coding agents, audit OAuth scopes, treat user inputs as untrusted, govern agent identities, validate communications, and seek detailed information from vendors regarding identity lifecycle management controls.
It is crucial to recognize the governance gap between human and AI identities, patch vulnerabilities promptly, and prioritize security measures to prevent unauthorized access and data breaches.
