Six research teams. Nine months. Four major AI coding platforms. And every single exploit followed the same attack path: compromise a credential, let the agent do the rest. According to reporting by VentureBeat, attackers didn't need to jailbreak Claude Code, Copilot, Codex, or Vertex AI—they just had to wait for those agents to authenticate to production systems using tokens that were never properly scoped or monitored in the first place.
The Branch Name That Stole Codex's GitHub Token
BeyondTrust researchers Tyler Jespersen, Fletcher Davis, and Simon Stewart demonstrated how a crafted GitHub branch name could exfiltrate Codex's OAuth token in cleartext. The mechanism was surgical: during repository cloning, the branch name parameter flowed unsanitized into a setup script. A semicolon and backtick turned it into a subshell payload—curl posting the token to an external server. Stewart added stealth by appending 94 Ideographic Space characters (Unicode U+3000) after "main," making the malicious branch look identical to the standard main branch in the Codex web portal. OpenAI classified this Critical P1 and shipped full remediation by February 5, 2026.
Claude Code's Triple Threat
Claude Code absorbed three separate hits. CVE-2026-25723 exploited piped sed and echo commands that escaped the project sandbox because command chaining was never validated—patched in version 2.0.55. CVE-2026-33068 was subtler: a malicious repository set permissions.defaultMode to bypassPermissions inside .claude/settings.json, which resolved before the workspace trust dialog appeared, so the prompt never fired at all—patched in 2.1.53. Then Adversa found that Claude Code silently dropped deny-rule enforcement once a command exceeded 50 subcommands. Anthropic's engineers had traded security for speed and stopped checking after the fiftieth instruction—patched in 2.1.90.
Copilot Opened a Shell, Then Everything Else
Johann Rehberger and Markus Vervier of Persistent Security demonstrated CVE-2025-53773 against GitHub Copilot: hidden instructions embedded in pull request descriptions triggered Copilot to flip auto-approve mode inside .vscode/settings.json, disabling all confirmations and granting unrestricted shell execution across Windows, macOS, and Linux. Microsoft patched it in the August 2025 Patch Tuesday release. Then Orca Security showed that a GitHub issue could manipulate Copilot into checking out a malicious PR with a symbolic link to /workspaces/.codespaces/shared/user-secrets-envs.json, exfiltrating the privileged GITHUB_TOKEN for full repository takeover—zero user interaction beyond opening the issue.
Vertex AI's Default Identity Was Overprivileged by Design
Unit 42 researcher Ofir Shaty found that the default Google service identity attached to every Vertex AI agent had excessive permissions baked in. Stolen P4SA credentials granted unrestricted read access to every Cloud Storage bucket in the project and reached restricted Google-owned Artifact Registry repositories at the core of the Vertex AI Reasoning Engine. Shaty described the compromised P4SA as functioning like a "double agent," with simultaneous access to user data and Google's own infrastructure.
The Pattern That Should Terrify Every CISO
Every exploit targeted runtime credentials, not model output. Vendors responded by shipping Claude Code Security (February 2026) and Codex Security (March 2026)—both scan generated code for OWASP Top 10 flaws, a separate problem that Veracode quantified: 45% of AI-generated code samples introduced security vulnerabilities. But neither scanner touches the agent's execution environment or credential handling. Carter Rees, VP of AI and ML at Reputation and a member of the Utah AI Commission, put it plainly: "A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions." CrowdStrike CTO Elia Zaitsev told VentureBeat at RSAC 2026 that enterprises need to collapse agent identities back to the human—because an agent acting on your behalf should never have more privileges than you do. Codex held a GitHub OAuth token scoped to every repository the developer authorized. Vertex AI's P4SA read every Cloud Storage bucket in the project. Claude Code traded deny-rule enforcement for token budget performance.
Key Takeaways
- Every major AI coding agent—Codex, Claude Code, Copilot, Vertex AI—was exploited through credential theft, not model manipulation
- Branch names, pull request descriptions, GitHub issues, and repository configuration files must be treated as untrusted input across all platforms
- Default OAuth scopes on AI agents routinely violate least privilege by design; enterprises rarely audit these at setup or rotation
- The 50-subcommand bypass in Claude Code proves that performance optimizations actively erode security controls without alerting operators
The Bottom Line
The AI coding agent market shipped production credentials to production systems and called it a product launch. Enterprises approved an interface, not a system—and the tokens underneath that interface are already compromised or next to be. If your CMDB doesn't have a category for AI agent identities, you don't know what's running in your environment with your GitHub access, your cloud storage read permissions, and your developers' OAuth scopes. That's not a security gap—that's an open door.