The integration of AI coding agents has introduced new, high-impact attack surfaces for development teams.
Phantom Labs at BeyondTrust recently discovered a critical command-injection vulnerability in OpenAI Codex. This flaw allowed attackers to steal sensitive GitHub User Access Tokens.
By exploiting how Codex handles task creation requests, threat actors could laterally move into an organization’s GitHub environment using the exact permissions granted to the AI agent.
The Command Injection Exploit
OpenAI Codex is a cloud-based coding assistant that connects directly to developers’ GitHub repositories.
When a user submits a prompt, Codex spins up a managed container to run tasks such as code generation or repository analysis.
BeyondTrust researchers found that during this container setup phase, the system failed to sanitize input properly.
Specifically, the GitHub branch name parameter in the HTTP POST request was passed directly into the environment’s setup scripts.
An attacker could exploit this by injecting a shell command into the branch name. For example, a malicious payload could force the system to output the hidden GitHub OAuth token to a readable text file.
The attacker could then prompt the Codex agent to read that file, exposing the cleartext token directly in the web interface.
The danger extended beyond the web portal to local developer environments. Researchers discovered that desktop Codex applications store authentication credentials locally in an authentication file.
If an attacker gained access to a developer’s machine running Windows, macOS, or Linux, they could steal these local session tokens.
By using these compromised local tokens to authenticate against the backend API, the attacker could retrieve the user’s entire task history.
This backend access allowed them to extract the GitHub access tokens hidden deep within the container task logs. The attack could also be automated to compromise multiple users without ever interacting with the Codex interface.
By creating a malicious branch directly in a shared GitHub repository, an attacker could trigger the exploit against anyone using Codex on that specific codebase.
To bypass GitHub’s branch-naming restrictions, which block standard spaces, attackers substituted spaces with a payload containing an internal field separator.
They also cleverly hid the malicious payload from the user interface using Unicode Ideographic Spaces. To an unsuspecting victim, the malicious branch appeared identical to the standard main branch.
Once a user or automated process interacted with it, the payload executed silently in the background, sending their GitHub token to an external server controlled by the attacker.
Stealing Installation Tokens
This automated branch attack also worked against automated pull requests. When a developer tagged the Codex bot to perform a code review on a pull request, the system initiated a code review container.
If the repository contained the maliciously named branch, the automated container would execute the hidden payload, allowing attackers to steal the broader GitHub Installation Access token.
This vulnerability carried a Critical rating and affected the ChatGPT website, Codex CLI, Codex SDK, and Codex IDE Extensions.
OpenAI received the responsible disclosure in December 2025 and fully patched the issue by late January 2026.
As AI coding assistants become deeply embedded in developer workflows, organizations must treat agent containers as strict security boundaries.
Development and security teams should adopt these practices:
- Sanitize all user-controllable inputs before passing them to shell commands.
- Never trust external provider data formats as inherently safe.
- Audit the permissions granted to AI applications to enforce strict least privilege.
- Monitor repositories for unusual branch names containing shell metacharacters or Unicode spaces.
- Rotate GitHub tokens regularly and review access logs for unexpected API activity.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
