On March 30, BeyondTrust proved that a crafted GitHub branch name could steal Codex’s OAuth token in cleartext. OpenAI has classified it Critical P1. Two days later, Anthropic’s Cloud Code source code spread on the public npm registry, and within a few hours, Adversa discovered that Cloud Code quietly bypassed its own deny rules when a command exceeded 50 subcommands. These were not isolated bugs. They were the latest over a nine-month period: six research teams disclosed exploits against Codex, Cloud Code, Copilot, and Vertex AI, and every exploit followed the same pattern. An AI coding agent placed a credential, executed an action, and authenticated to a production system without a human session anchoring the request.
The attack surface was first demonstrated at Black Hat USA 2025, when Zenity CTO Michael Bargueri hijacked ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein, and Cursor on stage with Jira MCP with zero clicks. Nine months later, the attackers gained access to those certificates.
Merritt Baer, CSO at Encrypt AI and former deputy CISO at AWS, named the failure in an exclusive VentureBeat interview. “Enterprises believe they have ‘approved’ AI vendors, but in reality what they have approved is an interface, not the underlying system.” Credential violations are at the bottom of the interface.
Codex, where a branch name stole GitHub tokens
BeyondTrust researcher Tyler Jespersen, along with Fletcher Davis and Simon Stewart, found the Codex clone repository using GitHub OAuth tokens embedded in Git remote URLs. During cloning, the branch name parameter flowed into the setup script untidy. A semicolon and a backtick subshell transformed the branch name into an exfiltration payload.
Stewart added slyly. Adding 94 ideographic space characters (Unicode U+3000) after “main” made the malicious branch look identical to the standard main branch in the Codex web portal. A developer sees “main”. Shell watches as Curle runs out of his tokens. OpenAI classified it Critical P1 and sent a full fix by February 5, 2026.
Cloud Code, where two CVEs and a 50-subcommand bypass broke the sandbox
CVE-2026-25723 affected Cloud Code’s file-write restrictions. Piped sed and echo commands escaped the project sandbox because command chaining was not valid. Patched in 2.0.55. CVE-2026-33068 was more subtle. Resolved permission mode from .cloud/settings.json before Cloud Code shows the Workspace Trust dialog. A malicious repo set Permissions.defaultMode to BypassPermissions. The trust prompt never appeared. Patched in 2.1.53.
50-subcommand bypass landed last. Adversa found that Cloud Code quietly removed deny-rule enforcement when a command exceeded 50 subcommands. Anthropic engineers traded safety for speed and stopped testing after the 1950s. Patched in 2.1.90.
“A critical vulnerability in enterprise AI is broken access controls, where the flat authorization plane of the LLM fails to respect the user’s permissions,” wrote Carter Rees, vice president of AI and machine learning at Reputation and member of the Utah AI Commission. The repository decides what permissions the agent has. The indicative budget decided which refusal rules would remain.
Copilot, where both the pull request description and the GitHub issue became the root
Johann Rehberger performed CVE-2025-53773 against GitHub Copilot with Marcus Vervier of Persistent Security as co-discoverer. Instructions hidden in the PR description caused Copilot to flip the auto-approval mode in .vscode/settings.json. This disabled all confirmations and allowed unrestricted shell execution on Windows, macOS, and Linux. Microsoft patched it in the August 2025 Patch Tuesday release.
Then, Orca Security cracked Copilot inside GitHub Codespaces. Instructions hidden in the GitHub issue manipulated Copilot into investigating a malicious PR with a symbolic link to /workspaces/.codespaces/shared/user-secrets-envs.json. A crafted JSON $schema URL threw out the privileged GITHUB_TOKEN. Complete stock acquisition. Zero user interaction other than opening the issue.
Ivanti CTO Mike Reimer formulated the speed dimension in a VentureBeat interview: “Dangerous actors reverse engineer patches within 72 hours. If a customer doesn’t patch within 72 hours of release, they are open to exploitation.” Agents compress that window in seconds.
Vertex AI, where the default scope reached Gmail, Drive, and Google’s own supply chain
Unit 42 researcher Ofir Shaty discovered that the default Google service identity associated with each Vertex AI agent had excessive permissions. The stolen P4SA credentials provided unrestricted read access to every cloud storage bucket in the project and access to the restricted, Google-owned artifact registry repository at the core of the Vertex AI reasoning engine. Shatty described the compromised P4SA as acting like a "double agent," With access to both user data and Google’s own infrastructure.
VentureBeat Defense Grid
| security requirement |
defense sent |
path of exploitation |
difference |
|
Sandbox AI Agent Execution |
Codex runs jobs in cloud containers; The token is cleared during agent runtime. |
Token present during cloning. Branch-name command injection executed before cleanup. |
No input sanitization on container setup parameters. |
|
restrict file system access |
Cloud Code Sandbox writes via accept-edit mode. |
Piped sed/echo escaped sandbox (CVE-2026-25723). Settings.json bypasses the trust dialog (CVE-2026-33068). The 50-subcommand chain removed denial-of-rule enforcement. |
Command chaining is not valid. Settings loaded before trust. Rejected rules were crossed out for display. |
|
Block prompt injection in code context |
CoPilot filters PR details for known injection patterns. |
Hidden injections in PRs, README files, and GitHub issues triggered RCE (CVE-2025-53773 + Orca RoguePilot). |
Static pattern matching loses to valid review and hints embedded in codespace flow. |
|
Scope agent credentials for least privilege |
The Vertex AI Agent Engine uses a P4SA service agent with OAuth scope. |
Default scopes reached Gmail, Calendar, Drive. P4SA credentials read each cloud storage bucket and Google’s artifact registry. |
OAuth scope is not editable by default. Least privilege violated by design. |
|
Inventory and identification of government agents |
None of the major AI coding agent vendors offer agent identity detection or lifecycle management. |
No attempt was made. Enterprises do not list AI coding agents, their credentials, or the scope of their permissions. |
AI coding agents are invisible to IAM, CMDB, and asset inventory. Zero rule exists. |
|
Detect credential exfiltration from agent runtime |
The codex obscures the token in the web portal view. Cloud Code logs subcommands. |
Tokens visible in cleartext inside containers. Unicode obscurity hid the exfil payload. Subcommand chaining hid the intention. |
No runtime monitoring of agent network calls. Log truncation hid the bypass. |
|
Audit AI-generated code for security flaws |
Anthropic launches Cloud Code Security (February 2026). OpenAI launches Codex Security (March 2026). |
Both scan the generated code. Neither scans the agent’s own execution environment or credential handling. |
Code-output security is not agent-runtime security. The agent itself is the attack surface. |
Each exploit targeted runtime credentials, not model output
Each seller sent a rescue. Every defense was ignored.
The Sonar 2026 State of Code developer survey found that 25% of developers regularly use AI agents, and 64% have started using them. Veracode tested over 100 LLMs and found that 45% of the generated code samples had OWASP Top 10 flaws, an isolated failure that compounds the runtime credential gap.
CrowdStrike CTO Elia Zaitsev laid out the rule in an exclusive VentureBeat interview at RSAC 2026: Fall agent identity reverts back to the human, as the agent acting on your behalf should never have more privileges than you. Codex has one GitHub OAuth token for each repository authorized by the developer. Vertex AI’s P4SA reads every cloud storage bucket in the project. Cloud Code traded denial-of-rule enforcement for token budgets.
Kayne McGladrey, a senior member of the IEEE who advises enterprises on identity risk, made the same diagnosis in an exclusive interview with VentureBeat. "Because of the scale and speed of intent, it uses far more permissions than it should, far more than a human being should."
Reimer drew the operational line in an exclusive VentureBeat interview. "It turns out, I don’t know you until I verify you." Branch name talked to shell before verification. The GitHub issue was shared with Copilot before anyone read it.
Security Director Action Plan
- List of every AI coding agent (CIEM). Codex, Cloud Code, Copilot, Cursor, Gemini Code Assist, Windsurf. List each credential and OAuth scope received upon setup. If your CMDB doesn’t have a category for AI agent detection, create one.
-
Audit OAuth scopes and patch levels. Upgrade Cloud Code to version 2.1.90 or later. Verify Copilot’s August 2025 patch. Move Vertex AI to your own service-account model.
-
Consider branch names, pull request details, GitHub issues, and repo configurations as unreliable input. Monitor for Unicode obfuscation (U+3000), command chaining of over 50 subcommands, and changes to .vscode/settings.json or .cloude/settings.json that flip the permission mode.
-
The same way you control Human Privileged Identity (PAM/IGA), the same way you control government agent identities. Credential Rotation. Least scope of privilege. Separation of duties between the agent writing the code and the agent deploying it. CyberArk, Delinia, and any PAM platform that accepts non-human identities can onboard agent OAuth credentials today; Gravity’s 2026 survey found that only 21.9% of teams did so.
-
Verify before communicating. "I don’t mind allowing AI to maintain this as long as we trust, test, and verify." Reimer said. Before any AI coding agent authenticates to GitHub, Gmail, or any internal repository, verify the agent’s identity, scope, and the human session it is associated with.
-
Ask each seller in writing before your next renewal. "Show me the identity lifecycle management controls for an AI agent running in my environment, including credential scope, rotation policy, and permissions audit trail." If the vendor cannot answer, this is the audit conclusion.
difference of governance in three sentences
Most CISOs catalog every human identity and keep a zero list of AI agents running with equivalent credentials. No IAM framework controls human privilege escalation and agent privilege escalation with the same stringency. Most scanners track every CVE, but they may not alert when a branch name spits out a GitHub token through a container that developers trust by default.
Zaitsev’s advice to RSAC 2026 attendees was clear: You already know what to do. Agents made the cost of not doing it devastating.
<a href