Six research teams. Nine months. One attack surface that nobody was watching until it bled credentials across production systems. On March 30, BeyondTrust demonstrated that a crafted GitHub branch name could steal Codex's OAuth token in cleartext — OpenAI classified it Critical P1 and shipped a fix by February 5. Two days later, Adversa found Claude Code silently dropped its own deny rules once a command exceeded 50 subcommands. The pattern held across every vendor. An AI coding agent holds a credential, executes an action, and authenticates to a production system without a human session anchoring the request.

Codex's Branch Name Shell Injection

BeyondTrust researcher Tyler Jespersen found that Codex cloned repositories using a GitHub OAuth token embedded in the git remote URL. During cloning, the branch name parameter flowed unsanitized into the setup script — a semicolon and backtick turned it into an exfiltration payload. But the stealth is what made this surgical. By appending 94 Ideographic Space characters (Unicode U+3000) after "main," the malicious branch looked identical to the standard main branch in Codex's web portal. A developer sees "main." The shell sees curl exfiltrating their token. OpenAI remediated by February 5, but the vector existed because no input sanitization was performed on container setup parameters.

Claude Code's Triple Failure

Claude Code accumulated three separate vulnerabilities across two CVEs and one undocumented bypass. CVE-2026-25723 hit file-write restrictions — piped sed and echo commands escaped the project sandbox because command chaining wasn't validated, patched in 2.0.55. CVE-2026-33068 was subtler: Claude Code resolved permission modes from .claude/settings.json before showing the workspace trust dialog, so a malicious repo could set permissions.defaultMode to bypassPermissions and skip the prompt entirely, patched in 2.1.53. The third exploit came from Adversa directly — once a command exceeded 50 subcommands, Claude Code silently dropped deny-rule enforcement. Anthropic's engineers had traded security for speed and stopped checking after the fiftieth iteration, patched in 2.1.90.

Copilot's Pull Request and GitHub Issue RCE

Johann Rehberger and Markus Vervier of Persistent Security demonstrated CVE-2025-53773: hidden instructions in pull request descriptions triggered Copilot to flip auto-approve mode in .vscode/settings.json, disabling all confirmations and granting unrestricted shell execution across Windows, macOS, and Linux. Microsoft patched it in the August 2025 Patch Tuesday release. Then Orca Security cracked Copilot inside GitHub Codespaces — hidden instructions in a GitHub issue manipulated Copilot into checking out a malicious PR with a symbolic link to /workspaces/.codespaces/shared/user-secrets-envs.json, and a crafted JSON $schema URL exfiltrated the privileged GITHUB_TOKEN. Full repository takeover. Zero user interaction beyond opening the issue.

Vertex AI's Overprivileged Service Identity

Unit 42 researcher Ofir Shaty found that the default Google service identity attached to every Vertex AI agent had excessive permissions by design. Stolen P4SA credentials granted unrestricted read access to every Cloud Storage bucket in the project and reached restricted, Google-owned Artifact Registry repositories at the core of the Vertex AI Reasoning Engine. Shaty described the compromised P4SA as functioning like a "double agent" with access to both user data and Google's own infrastructure. The OAuth scopes were non-editable by default — least privilege was violated before the first agent ever ran.

Every Vendor Shipped a Defense. Every Defense Was Bypassed.

The VentureBeat defense grid tells the story: sandbox execution, file system restrictions, prompt injection filtering, scope limiting — all shipped, all bypassed. Security scanners like Anthropic's Claude Code Security (February 2026) and OpenAI's Codex Security (March 2026) scan generated code but neither scans the agent's own execution environment or credential handling. Carter Rees, VP of AI at Reputation and Utah AI Commission member, put it plainly: "A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions." The repository decided what permissions the agent had. The token budget decided which deny rules survived.

Threat Actors Reverse-Engineer Patches Within 72 Hours

Mike Riemer, CTO at Ivanti, framed the operational reality in stark terms: "Threat actors are reverse engineering patches within 72 hours. If a customer doesn't patch within 72 hours of release, they're open to exploit." AI agents compress that window further — what took threat actors days to weaponize against human-operated systems can be automated against agent-run systems in seconds. Riemer's validation-first principle cuts through the noise: "It becomes, I don't know you until I validate you." The branch name talked to the shell before validation. The GitHub issue talked to Copilot before anyone read it.

Key Takeaways

  • Inventory every AI coding agent (Codex, Claude Code, Copilot, Cursor, Gemini Code Assist, Windsurf) and list their OAuth scopes in your CMDB — if there's no category for AI agent identities, create one
  • Audit OAuth scopes now. Upgrade Claude Code to 2.1.90 or later. Verify Copilot's August 2025 patch. Migrate Vertex AI to the bring-your-own-service-account model before your next renewal cycle
  • Treat branch names, PR descriptions, GitHub issues, and repo configuration as untrusted input. Monitor for Unicode obfuscation (U+3000), command chaining over 50 subcommands, and changes to .vscode/settings.json or .claude/settings.json that flip permission modes
  • Govern agent identities with the same rigor as human privileged identities — credential rotation, least-privilege scoping, separation of duties between agents that write code and agents that deploy it. CyberArk, Delinea, and any PAM platform accepting non-human identities can onboard agent OAuth credentials today; only 21.9% of teams have done so per Gravitee's 2026 survey

The Bottom Line

CrowdStrike CTO Elia Zaitsev said it at RSAC 2026: you already know what to do — agents just made the cost of not doing it catastrophic. Every exploit targeted runtime credentials, not model output. Every vendor shipped a defense that didn't address the agent itself as the attack surface. The governance gap is three sentences: CISOs inventory every human identity and have zero inventory of the AI agents running with equivalent credentials. No IAM framework governs human privilege escalation and agent privilege escalation with the same rigor. Most scanners track every CVE but cannot alert when a branch name exfiltrates a GitHub token through a container that developers trust by default.