Six research teams. Nine months. One attack pattern that pwned Codex, Claude Code, Copilot, and Vertex AI in succession. The exploit chain was always the same: an AI coding agent held a credential, executed an action it shouldn't have, and authenticated to a production system—without any human session anchoring the request. This isn't theoretical. Every one of these vulnerabilities shipped as a real exploit against real enterprise environments.

Codex's Branch Name Token Heist

BeyondTrust researchers Tyler Jespersen, Fletcher Davis, and Simon Stewart demonstrated how a crafted GitHub branch name could steal Codex's OAuth token in cleartext. The attack was surgical: during repository cloning, the branch name parameter flowed unsanitized into a setup script. A semicolon and backtick turned the branch name into an exfiltration payload executing before any cleanup routines ran. But Stewart added the stealth layer—appending 94 Ideographic Space characters (Unicode U+3000) after "main" made the malicious branch look identical to the standard main branch in Codex's web portal. Developers saw "main." The shell saw curl exfiltrating their token. OpenAI classified it Critical P1 and shipped full remediation by February 5, 2026.

Claude Code's Triple CVEs

Anthropic's agent didn't get off lighter—it got hit harder with three separate vulnerabilities across a single product family. CVE-2026-25723 exploited Claude Code's file-write restrictions: piped sed and echo commands escaped the project sandbox because command chaining went unvalidated. Patched in 2.0.55. The second, CVE-2026-33068, was subtler—Claude Code resolved permission modes from .claude/settings.json before showing the workspace trust dialog, so a malicious repository could set permissions.defaultMode to bypassPermissions and skip the prompt entirely. Patched in 2.1.53. The third exploit came from Adversa and exposed a performance-vs-security tradeoff that should alarm every enterprise security team: Claude Code silently dropped deny-rule enforcement once a command exceeded 50 subcommands. Anthropic's engineers had traded security for speed and stopped checking after the fiftieth subprocess. Patched in 2.1.90.

Copilot's Invisible Privilege Escalation

GitHub Copilot took two hits from different research teams using identical attack philosophy—hidden instructions embedded where developers wouldn't think to look. Johann Rehberger and Markus Vervier of Persistent Security demonstrated CVE-2025-53773: hidden instructions in pull request descriptions triggered Copilot to flip auto-approve mode in .vscode/settings.json, disabling all confirmations and granting unrestricted shell execution across Windows, macOS, and Linux simultaneously. Microsoft patched it in the August 2025 Patch Tuesday release. Orca Security's researchers went further inside GitHub Codespaces itself. Hidden instructions in a GitHub issue manipulated Copilot into checking out a malicious PR containing a symbolic link to /workspaces/.codespaces/shared/user-secrets-envs.json, and a crafted JSON $schema URL exfiltrated the privileged GITHUB_TOKEN. Full repository takeover. Zero user interaction beyond opening the issue.

Vertex AI's Double Agent Problem

Unit 42 researcher Ofir Shaty found the most dangerous default configuration of the bunch: Google Vertex AI agents shipped with a P4SA service identity that had excessive permissions by design. Stolen credentials granted unrestricted read access to every Cloud Storage bucket in the project and reached restricted, Google-owned Artifact Registry repositories at the core of the Vertex AI Reasoning Engine itself. Shaty described the compromised P4SA as functioning like a "double agent," with simultaneous access to user data and Google's own infrastructure.

The Pattern: Credentials Without Human Anchors

"Enterprises believe they've 'approved' AI vendors, but what they've actually approved is an interface, not the underlying system," Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, told VentureBeat in an exclusive interview. "The credentials underneath the interface are the breach." CrowdStrike CTO Elia Zaitsev cut sharper at RSAC 2026: agents just made the cost of not doing credential governance catastrophic. Mike Riemer, CTO at Ivanti, put operational teeth on the timeline problem. "Threat actors are reverse engineering patches within 72 hours," he said in an exclusive interview. "If a customer doesn't patch within 72 hours of release, they're open to exploit." AI agents compress that window to seconds.

Action Plan: Treat Agents Like Privileged Humans

Security directors need to inventory every AI coding agent—Codex, Claude Code, Copilot, Cursor, Gemini Code Assist, Windsurf—and catalog the credentials and OAuth scopes each received at setup. If your CMDB has no category for AI agent identities, create one today. Upgrade Claude Code to 2.1.90 or later. Verify Copilot's August 2025 patch is deployed. Migrate Vertex AI to the bring-your-own-service-account model to escape default P4SA overprivilege. Treat branch names, pull request descriptions, GitHub issues, and repository configuration as untrusted input—monitor for Unicode obfuscation like U+3000 characters, command chaining exceeding 50 subcommands, and any changes to .vscode/settings.json or .claude/settings.json that flip permission modes. Govern agent identities the way you govern human privileged access: credential rotation, least-privilege scoping, separation of duties between agents that write code and agents that deploy it.

Key Takeaways

  • Six exploits across nine months all targeted runtime credentials, not model output quality
  • Every vendor shipped a defense; every defense was bypassed by attackers who understood the credential layer
  • Claude Code's 50-subcommand deny-rule bypass proves security was traded for performance under token budget pressure
  • Copilot in GitHub Codespaces could be manipulated via issues to achieve full repository takeover with zero user interaction beyond opening the issue
  • Vertex AI's default P4SA credentials reached both customer data and Google's own Artifact Registry supply chain

The Bottom Line

The Sonar 2026 State of Code Developer Survey found 64% of developers have started using AI agents, yet no major vendor ships agent identity lifecycle management. Most CISOs inventory every human identity in their environment while having zero visibility into the AI agents running with equivalent credentials. You already know what to do—collapse agent identities back to the human, scope them least-privilege, and verify before you communicate. AI coding assistants just made the cost of not doing it catastrophic.