BeyondTrust Phantom Labs uncovers critical vulnerability in OpenAI Codex enabling token theft
Researchers at BeyondTrust Phantom Labs have uncovered a critical command injection vulnerability in OpenAI Codex that could have exposed sensitive GitHub OAuth tokens from its cloud-based execution environment.
The flaw originated from improper input validation in how Codex processed GitHub branch names during task execution. By manipulating the branch name parameter, attackers could inject malicious commands into the agent’s container, enabling them to extract authentication tokens tied to repositories and workflows.
Given Codex’s deep integration with GitHub repositories, the risk extended far beyond individual users. Researchers demonstrated that the attack could be automated to compromise multiple users working within shared repositories, significantly amplifying its impact.
“AI coding agents are evolving into privileged identities with direct access to critical systems making them a new and powerful attack surface if not properly secured.”
— Fletcher Davis
The vulnerability affected several Codex interfaces, including the ChatGPT web environment, Codex CLI, SDK, and IDE extensions. This broad exposure raised concerns about the security of AI-driven development environments that operate with elevated privileges.
Potential consequences included token theft, allowing unauthorized access to private code and workflows, as well as broader organisational compromise through lateral movement across interconnected systems. The ability to automate such attacks further increased the risk, enabling large-scale token exfiltration.
Researchers also identified that locally stored authentication tokens on developer machines could be exploited via backend APIs, expanding the attack surface. To enhance stealth, obfuscated payloads using Unicode characters were developed, allowing malicious commands to bypass visual detection in user interfaces.
According to Fletcher Davis, the findings highlight a growing cybersecurity concern where AI agents act as autonomous entities with access to sensitive environments, often operating beyond traditional security controls.
BeyondTrust responsibly disclosed the vulnerability to OpenAI, which has since remediated the issue in coordination with its security team.
The discovery underscores the urgent need for stronger input validation, secure design practices, and enhanced monitoring of AI-powered development tools as enterprises increasingly adopt automated coding environments.
