Six research teams. Nine months. One pattern that should've been obvious in retrospect: AI coding agents are credential theft machines with very good marketing. On March 30, BeyondTrust proved that a GitHub branch name could steal Codex's OAuth token in cleartext—OpenAI called it Critical P1 and patched it by February 5. Two days later, Adversa found Claude Code silently dropped its own deny rules once commands hit 50 subcommands. These weren't isolated incidents. They were symptoms of a systemic failure hiding in plain sight.

The Branch Name That Stole GitHub Tokens

BeyondTrust researcher Tyler Jespersen, working with Fletcher Davis and Simon Stewart, discovered that Codex cloned repositories using a GitHub OAuth token embedded directly in the git remote URL. Here's where it gets interesting: the branch name parameter flowed unsanitized into the setup script. A semicolon and backtick turned "main" into a subshell execution payload. But Stewart added the stealth layer—by appending 94 Ideographic Space characters (Unicode U+3000) after "main," the malicious branch looked identical to the standard main branch in Codex's web portal. The developer sees "main." The shell sees curl exfiltrating their token.

Claude Code's Triple Threat

Anthropic's agent had a rougher nine months. CVE-2026-25723 hit file-write restrictions when piped sed and echo commands escaped the project sandbox because command chaining wasn't validated—patched in 2.0.55. CVE-2026-33068 was subtler: Claude Code resolved permission modes from .claude/settings.json before showing the workspace trust dialog, so a malicious repo could set permissions.defaultMode to bypassPermissions and never trigger the prompt—patched in 2.1.53. Then Adversa landed the third blow: once commands exceeded 50 subcommands, Claude Code silently dropped deny-rule enforcement entirely. Anthropic's engineers had traded security for speed and stopped checking after the fiftieth subprocess.

Copilot Got Owned Twice

Johann Rehberger and Markus Vervier of Persistent Security demonstrated CVE-2025-53773 against GitHub Copilot: hidden instructions in pull request descriptions triggered Copilot to flip auto-approve mode in .vscode/settings.json, disabling all confirmations and granting unrestricted shell execution across Windows, macOS, and Linux. Microsoft patched it in August 2025's Patch Tuesday. Then Orca Security cracked Copilot inside GitHub Codespaces—hidden instructions in a GitHub issue manipulated the agent into checking out a malicious PR with a symbolic link to /workspaces/.codespaces/shared/user-secrets-envs.json. A crafted JSON $schema URL exfiltrated the privileged GITHUB_TOKEN. Full repository takeover. Zero user interaction beyond opening the issue.

Vertex AI's Double Agent Problem

Unit 42 researcher Ofir Shaty found that Google Vertex AI shipped with a default service identity (P4SA) that had excessive permissions by design. Those stolen credentials granted unrestricted read access to every Cloud Storage bucket in the project and reached restricted, Google-owned Artifact Registry repositories at the core of the Vertex AI Reasoning Engine. Shaty described the compromised P4SA as functioning like a "double agent"—access to both user data and Google's own infrastructure.

Key Takeaways

  • Every exploit targeted runtime credentials, not model output—the agent itself is the attack surface
  • 64% of developers have started using AI coding agents; Veracode found 45% of generated code introduces OWASP Top 10 flaws
  • Mike Riemer (CTO at Ivanti): "Threat actors are reverse engineering patches within 72 hours"—agents compress that window to seconds
  • Vendors shipped defenses. Every defense was bypassed.

The Real Problem Nobody's Fixing

Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, named the failure with surgical precision in an exclusive VentureBeat interview: "Enterprises believe they've 'approved' AI vendors, but what they've actually approved is an interface, not the underlying system." The credentials underneath the interface are the breach. CrowdStrike CTO Elia Zaitsev put it even more bluntly at RSAC 2026: collapse agent identities back to the human, because an agent acting on your behalf should never have more privileges than you do. Codex held a GitHub OAuth token scoped to every repository the developer authorized. Vertex AI's P4SA read every Cloud Storage bucket in the project.

The Bottom Line

The governance gap is three sentences: Most CISOs inventory every human identity and have zero inventory of the AI agents running with equivalent credentials. No IAM framework governs agent privilege escalation with the same rigor as human privilege escalation. Most scanners track every CVE but can't alert when a branch name exfiltrates a GitHub token through a container that developers trust by default. You already know what to do—agents just made the cost of not doing it catastrophic.