In a recent revelation on March 30th, BeyondTrust uncovered a critical vulnerability in OpenAI’s Codex, where a specially crafted GitHub branch name could pilfer Codex’s OAuth token in plain text. This exploit was classified as Critical P1 by OpenAI. Shortly after, Anthropic’s Claude Code source code was leaked onto the public npm registry, leading to Adversa discovering that Claude Code was silently disregarding its own deny rules when a command exceeded 50 subcommands. These incidents were not isolated occurrences but rather part of a series of exploits by six research teams over a nine-month period targeting Codex, Claude Code, Copilot, and Vertex AI.
The vulnerability in Codex allowed the theft of GitHub OAuth tokens through a manipulated branch name during the cloning process. OpenAI promptly addressed this issue by implementing full remediation by February 5, 2026. Similarly, Claude Code faced two CVEs that compromised its file-write restrictions and trust dialog settings. Additionally, a bypass was discovered where Claude Code would ignore deny-rule enforcement once a command exceeded 50 subcommands. These vulnerabilities highlighted the importance of access control in enterprise AI systems.
On the other hand, Copilot was targeted with exploits that allowed remote code execution via hidden instructions in pull request descriptions and GitHub issues. These vulnerabilities enabled threat actors to gain root access to Copilot and execute arbitrary commands across different operating systems. Microsoft swiftly patched these vulnerabilities in August 2025. Vertex AI also faced security concerns as default scopes attached to every Vertex AI agent granted excessive permissions, leading to unauthorized access to sensitive data and Google’s infrastructure.
The article emphasized the necessity for enterprises to inventory and govern AI coding agents, audit OAuth scopes and patch levels regularly, and treat untrusted inputs with caution. It also stressed the importance of validating agent identities before communication and urging vendors to provide transparent information on identity lifecycle management controls. The governance gap between human and AI agent privileges was highlighted, underscoring the need for enhanced security measures in the face of escalating cyber threats.
Ultimately, the article called for a proactive approach to security, emphasizing the critical role of governance and risk management in mitigating potential vulnerabilities in AI systems. By implementing robust security protocols and staying vigilant against emerging threats, organizations can safeguard their systems and data from malicious actors looking to exploit vulnerabilities in AI technologies.