Exploits Uncovered Against AI Coding Agents: A Deep Dive

In a recent revelation by BeyondTrust on March 30, it was demonstrated that a carefully crafted GitHub branch name could potentially expose Codex’s OAuth token in plaintext, leading to OpenAI labeling it as Critical P1. Following this incident, Anthropic’s Claude Code source code was unexpectedly leaked onto the public npm registry, prompting Adversa to uncover a critical security flaw where Claude Code would quietly ignore its own deny rules once a command surpassed 50 subcommands. These incidents were not isolated cases but rather part of a series of exploits over a period of nine months, with six different research teams discovering vulnerabilities in Codex, Claude Code, Copilot, and Vertex AI. The common thread among all these exploits was that an AI coding agent would possess a credential, carry out an action, and authenticate itself to a production system without the oversight of a human session anchoring the request.

The vulnerability of AI coding agents was initially showcased at Black Hat USA 2025 when Zenity CTO Michael Bargury commandeered ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein, and Cursor with Jira MCP without the need for any user interaction. Nine months later, these exploited credentials became the target of malicious actors.

Merritt Baer, the Chief Security Officer at Enkrypt AI and former Deputy CISO at AWS, highlighted this security lapse in an exclusive interview with VentureBeat, emphasizing that while enterprises may believe they have approved AI vendors, in reality, they have only approved the interface and not the underlying system. It is the credentials beneath the interface that are left vulnerable to breaches.

Codex: Vulnerability Exploited through Branch Name Manipulation

Researchers Tyler Jespersen, Fletcher Davis, and Simon Stewart from BeyondTrust discovered a flaw in Codex where cloned repositories utilized a GitHub OAuth token embedded in the git remote URL. During the cloning process, the branch name parameter was not sanitized, allowing for a semicolon and a backtick subshell to transform the branch name into a potential exfiltration payload. Stewart further enhanced the stealthiness of this exploit by appending 94 Ideographic Space characters after the branch name, making the malicious branch appear identical to the standard main branch in the Codex web portal. OpenAI classified this vulnerability as Critical P1 and implemented a full fix by February 5, 2026.

Claude Code: Vulnerabilities Leading to Sandbox Bypass

CVE-2026-25723 exposed Claude Code’s file-write restrictions to exploitation as piped sed and echo commands managed to escape the project sandbox due to unvalidated command chaining. This vulnerability was addressed in version 2.0.55. Another subtler vulnerability, CVE-2026-33068, allowed Claude Code to bypass permission modes by manipulating the .claude/settings.json file before the workspace trust dialog was displayed. A malicious repository could set permissions.defaultMode to bypass permissions, circumventing the trust prompt. This security flaw was patched in version 2.1.53. The final vulnerability in Claude Code involved a 50-subcommand bypass, where Adversa discovered that the system would disregard deny-rule enforcement once a command exceeded 50 subcommands. This compromise of security for speed was rectified in version 2.1.90.

Carter Rees, the VP of AI and Machine Learning at Reputation and a member of the Utah AI Commission, emphasized the significance of broken access control in enterprise AI, where the authorization plane of a Limited License Model (LLM) fails to respect user permissions, allowing the repository to dictate the agent’s permissions and the token budget determining which deny rules were upheld.

Copilot: Breaches Exploiting Pull Request Descriptions and GitHub Issues

Johann Rehberger showcased CVE-2025-53773 against GitHub Copilot, with Markus Vervier of Persistent Security as a co-discoverer, where hidden instructions in pull request descriptions could manipulate Copilot to disable confirmations and allow for unrestricted shell execution across different operating systems. This vulnerability was patched in the August 2025 update by Microsoft. Orca Security later demonstrated how hidden instructions in a GitHub issue could coerce Copilot into checking out a malicious pull request containing a symbolic link to a sensitive file, leading to a full repository takeover without any user interaction.

Mike Riemer, the CTO at Ivanti, highlighted the urgency of patching vulnerabilities promptly, as threat actors are quick to reverse-engineer patches, leaving unpatched systems vulnerable to exploitation within a short timeframe.

Vertex AI: Default Scopes Exposing Sensitive Data

Researcher Ofir Shaty from Unit 42 uncovered a critical flaw in Vertex AI where the default Google service identity attached to every agent possessed excessive permissions, granting unrestricted read access to all Cloud Storage buckets within the project and breaching Google’s Artifact Registry repositories. This compromised service account functioned as a "double agent," with access to both user data and Google’s infrastructure.

Action Plan for Security Directors

1. Inventory Every AI Coding Agent: Maintain a comprehensive list of all AI agents in use, including Codex, Claude Code, Copilot, Cursor, Gemini Code Assist, and Windsurf. Document the credentials and OAuth scopes granted to each agent and ensure they are categorized in the CMDB.
2. Audit OAuth Scopes and Patch Levels: Regularly update software versions to mitigate known vulnerabilities. Verify that security patches such as those for Claude Code and Copilot have been applied. Consider migrating Vertex AI to a bring-your-own-service-account model for enhanced security.
3. Treat Untrusted Inputs with Caution: Be vigilant against potential security risks posed by branch names, pull request descriptions, GitHub issues, and repository configurations. Monitor for specific indicators such as Unicode obfuscation, command chaining exceeding 50 subcommands, and changes to critical configuration files.
4. Govern Agent Identities: Implement robust identity management practices for AI agents, including regular credential rotation, least-privilege scoping, and segregation of duties between code writing and deployment functions. Utilize specialized platforms like CyberArk or Delinea to manage non-human identities effectively.
5. Validate Before Authentication: Prior to granting access to critical systems, verify the identity, permissions, and associated human session of AI coding agents. Establish a stringent validation process to prevent unauthorized access.
6. Vendor Accountability: Demand transparency from AI vendors regarding identity lifecycle management controls for the agents operating within your environment. Ensure that credential scopes, rotation policies, and permission audits are clearly defined and adhered to.

   Adhering to these recommended actions can significantly enhance the security posture of organizations utilizing AI coding agents and mitigate the risks associated with runtime credential vulnerabilities.

   Closing Thoughts
   

   The realm of AI coding agents presents a complex landscape of security challenges, where the compromise of runtime credentials poses a significant threat to organizational cybersecurity. As highlighted by industry experts and researchers, addressing these vulnerabilities requires a holistic approach encompassing identity management, vulnerability patching, and continuous monitoring of agent activities. By proactively implementing robust security measures and staying informed about emerging threats, enterprises can safeguard their AI infrastructure and protect sensitive data from exploitation.

   In a rapidly evolving digital landscape, the security of AI coding agents is paramount to maintaining the integrity and confidentiality of organizational assets. By prioritizing security practices and implementing stringent controls, businesses can effectively mitigate the risks associated with AI vulnerabilities and safeguard against potential breaches.

   —
   This comprehensive analysis delves into the recent exploits uncovered against AI coding agents, offering actionable insights for security directors to fortify their defenses. Stay informed, stay secure.