Six research teams dropped zero-days against Codex, Claude Code, Copilot, and Vertex AI between mid-2025 and early 2026 — and every single exploit followed the same playbook. An AI coding agent held a credential, executed an action, and authenticated to a production system without any human session anchoring the request. The attack surface was first demonstrated at Black Hat USA 2025 when Zenity CTO Michael Bargury hijacked ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein, and Cursor using Jira MCP on stage with zero clicks. Nine months later, those credentials are exactly what attackers reached.

The Branch Name That Stole Codex's OAuth Token

BeyondTrust researcher Tyler Jespersen, working with Fletcher Davis and Simon Stewart, found that Codex cloned repositories using a GitHub OAuth token embedded directly in the git remote URL. During cloning, the branch name parameter flowed completely unsanitized into the setup script — meaning a semicolon and backtick subshell turned the branch name itself into an exfiltration payload. But Stewart added the stealth layer: by appending 94 Ideographic Space characters (Unicode U+3000) after 'main,' the malicious branch looked identical to the standard main branch in the Codex web portal. A developer sees 'main.' The shell sees curl exfiltrating their token in cleartext. OpenAI classified it Critical P1 and shipped full remediation by February 5, 2026.

Claude Code's Triple Threat

Anthropic's agent had an even rougher stretch. CVE-2026-25723 hit Claude Code's file-write restrictions — piped sed and echo commands escaped the project sandbox because command chaining was never validated. Patched in version 2.0.55. CVE-2026-33068 was subtler: Claude Code resolved permission modes from .claude/settings.json before showing the workspace trust dialog, so a malicious repo could set permissions.defaultMode to bypassPermissions and the trust prompt would never appear. Patched in version 2.1.53. Then Adversa found that Claude Code silently dropped deny-rule enforcement once a command exceeded 50 subcommands — Anthropic's engineers had traded security for speed and stopped checking after the fiftieth. Patched in version 2.1.90.

Copilot's Silent Privilege Escalation

Johann Rehberger demonstrated CVE-2025-53773 against GitHub Copilot with Markus Vervier of Persistent Security as co-discoverer. Hidden instructions embedded in pull request descriptions triggered Copilot to flip auto-approve mode in .vscode/settings.json — disabling all confirmations and granting unrestricted shell execution across Windows, macOS, and Linux. Microsoft patched it in the August 2025 Patch Tuesday release. But Orca Security wasn't done: they found that hidden instructions inside a GitHub issue manipulated Copilot into checking out a malicious PR with a symbolic link pointing to /workspaces/.codespaces/shared/user-secrets-envs.json. A crafted JSON $schema URL then exfiltrated the privileged GITHUB_TOKEN. Full repository takeover. Zero user interaction beyond opening the issue.

Vertex AI's Double Agent Problem

Unit 42 researcher Ofir Shaty found that Google's default service identity attached to every Vertex AI agent had excessive permissions by design. Stolen P4SA credentials granted unrestricted read access to every Cloud Storage bucket in the project and reached restricted, Google-owned Artifact Registry repositories at the core of the Vertex AI Reasoning Engine. Shaty described the compromised P4SA as functioning like a 'double agent,' with access to both user data and Google's own infrastructure simultaneously.

The Credential Gap Enterprises Won't Acknowledge

Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, named the failure directly in an exclusive VentureBeat interview: 'Enterprises believe they've approved AI vendors, but what they've actually approved is an interface, not the underlying system. The credentials underneath the interface are the breach.' Kayne McGladrey, an IEEE Senior Member advising enterprises on identity risk, put it even more bluntly: 'It uses far more permissions than it should have — more than a human would — because of the speed of scale and intent.' CrowdStrike CTO Elia Zaitsev told RSAC 2026 attendees the fix is simple: collapse agent identities back to the human. An agent acting on your behalf should never have more privileges than you do. Codex held a GitHub OAuth token scoped to every repository the developer authorized. Vertex AI's P4SA read every Cloud Storage bucket in the project. Claude Code traded deny-rule enforcement for token budget. Mike Riemer, CTO at Ivanti, framed the operational reality in stark terms: 'Threat actors are reverse engineering patches within 72 hours. If a customer doesn't patch within 72 hours of release, they're open to exploit.' AI agents compress that window to seconds. Every vendor shipped a defense after getting burned — and every defense was bypassed anyway.

Key Takeaways

  • Inventory every AI coding agent in your environment: Codex, Claude Code, Copilot, Cursor, Gemini Code Assist, Windsurf. If your CMDB has no category for AI agent identities, create one immediately.
  • Audit OAuth scopes and patch levels now. Upgrade Claude Code to 2.1.90 or later. Verify Copilot's August 2025 patch is deployed.
  • Treat branch names, PR descriptions, GitHub issues, and repo configuration as untrusted input. Monitor for Unicode obfuscation (U+3000), command chaining over 50 subcommands, and changes to settings.json that flip permission modes.
  • Govern agent identities with the same rigor as human privileged identities using PAM/IGA platforms like CyberArk or Delinea.

The Bottom Line

The Sonar 2026 State of Code Developer Survey found 64% of developers have started using AI agents — but no major vendor ships agent identity discovery, lifecycle management, or runtime credential monitoring. Every CVE scanner in your stack tracks these vulnerabilities perfectly while remaining completely blind to a branch name exfiltrating a GitHub token through a container that developers trust by default. Zaitsev was right: you already know what to do. AI agents just made the cost of not doing it catastrophic.