The growing adoption of AI coding assistants is introducing powerful productivity gains — but also new security risks. Researchers recently uncovered a critical vulnerability in OpenAI Codex that allowed attackers to steal sensitive access tokens from connected GitHub repositories.
The flaw, discovered by Phantom Labs at BeyondTrust, involved a command injection vulnerability that could be exploited to gain unauthorized access to development environments and source code repositories.
How the Command Injection Worked
OpenAI Codex operates by launching managed containers whenever users submit prompts for code generation or repository analysis. These containers interact directly with GitHub repositories using authenticated tokens.
Researchers found that during container initialization, the system improperly handled user-supplied input — specifically the GitHub branch name parameter in an HTTP POST request. This parameter was passed directly into setup scripts without proper sanitization.
By injecting malicious shell commands into the branch name, attackers could force the container to expose hidden OAuth tokens. For example, a payload could write the GitHub access token into a file, which the attacker could later retrieve through the Codex interface.
Once obtained, the token granted attackers the same permissions as the AI agent, enabling lateral movement across repositories.
Local Token Exposure Risk
The issue extended beyond cloud containers. Desktop implementations of Codex on Windows, macOS, and Linux store authentication credentials locally.
If an attacker gained access to a developer’s machine, they could extract session tokens and authenticate against backend APIs. This allowed retrieval of task histories and extraction of GitHub access tokens stored within container logs.
The attack could even be automated, enabling compromise of multiple users without direct interaction.
Malicious Branch Name Technique
Attackers could also weaponize shared repositories. By creating a malicious branch name containing hidden shell payloads, they could trigger exploitation whenever Codex interacted with that repository.
To evade detection:
- Spaces were replaced using internal field separators
- Unicode ideographic spaces hid payloads visually
- Branch names appeared identical to legitimate ones
When a developer or automated process accessed the repository, the payload executed silently and exfiltrated tokens to attacker-controlled servers.
Pull Request Automation Expanded Impact
The vulnerability also affected automated pull request workflows. When developers requested code reviews from the Codex bot, containers were launched automatically.
If a malicious branch existed, the payload executed during the review process, allowing attackers to steal broader GitHub installation tokens — potentially impacting entire organizations.
Affected Platforms and Patch
The vulnerability impacted multiple Codex environments:
- ChatGPT web integration
- Codex CLI
- Codex SDK
- IDE extensions
The issue was responsibly disclosed to OpenAI in December 2025 and fully patched by late January 2026.
Security Lessons for Development Teams
This incident highlights the need to treat AI coding agents as high-privilege components within development pipelines. Organizations should:
- Sanitize all user-controlled inputs before shell execution
- Enforce least-privilege access for AI tools
- Monitor repositories for suspicious branch names
- Rotate GitHub tokens regularly
- Audit API logs for unusual activity
- Treat AI containers as security boundaries
As AI assistants become embedded in developer workflows, vulnerabilities like this demonstrate how quickly automation can turn into a high-impact attack vector if security controls are not rigorously enforced.
