CyberSecurity News

OpenAI Codex Command Injection Steals GitHub Access

As development teams increasingly integrate AI coding agents, they encounter novel and high-impact attack surfaces. Phantom Labs at BeyondTrust recently discovered a critical command-injection...

Marcus Rodriguez
Marcus Rodriguez
April 7, 2026 3 Min Read
4 0

As development teams increasingly integrate AI coding agents, they encounter novel and high-impact attack surfaces.

Phantom Labs at BeyondTrust recently discovered a critical command-injection vulnerability in OpenAI Codex. This flaw allowed attackers to steal sensitive GitHub User Access Tokens.

By exploiting how Codex handles task creation requests, threat actors could laterally move into an organization’s GitHub environment using the exact permissions granted to the AI agent.

The Command Injection Exploit

OpenAI Codex is a cloud-based coding assistant that connects directly to developers’ GitHub repositories.

When a user submits a prompt, Codex spins up a managed container to run tasks such as code generation or repository analysis.

Codex attack path( source : beyondtrust)
Codex attack path( source : beyondtrust)

BeyondTrust researchers found that during this container setup phase, the system failed to sanitize input properly.

Specifically, the GitHub branch name parameter in the HTTP POST request was passed directly into the environment’s setup scripts.

An attacker could exploit this by injecting a shell command into the branch name. For example, a malicious payload could force the system to output the hidden GitHub OAuth token to a readable text file.

The attacker could then prompt the Codex agent to read that file, exposing the cleartext token directly in the web interface.

Authorizing ChatGPT Codex Connector on the GitHub application( source : beyondtrust)
Authorizing ChatGPT Codex Connector on the GitHub application (source: beyondtrust)

The danger extended beyond the web portal to local developer environments. Researchers discovered that desktop Codex applications store authentication credentials locally in an authentication file.

If an attacker gained access to a developer’s machine running Windows, macOS, or Linux, they could steal these local session tokens.

By using these compromised local tokens to authenticate against the backend API, the attacker could retrieve the user’s entire task history.

This backend access allowed them to extract the GitHub access tokens hidden deep within the container task logs. The attack could also be automated to compromise multiple users without ever interacting with the Codex interface.

By creating a malicious branch directly in a shared GitHub repository, an attacker could trigger the exploit against anyone using Codex on that specific codebase.

Codex authentication tokens stored in auth.json(source :beyondtrust)
Codex authentication tokens stored in auth.json (source:beyondtrust)

To bypass GitHub’s branch-naming restrictions, which block standard spaces, attackers substituted spaces with a payload containing an internal field separator.

They also cleverly hid the malicious payload from the user interface using Unicode Ideographic Spaces. To an unsuspecting victim, the malicious branch appeared identical to the standard main branch.

Once a user or automated process interacted with it, the payload executed silently in the background, sending their GitHub token to an external server controlled by the attacker.

Stealing Installation Tokens

This automated branch attack also worked against automated pull requests. When a developer tagged the Codex bot to perform a code review on a pull request, the system initiated a code review container.

 If the repository contained the maliciously named branch, the automated container would execute the hidden payload, allowing attackers to steal the broader GitHub Installation Access token.

Codex container logs demonstrating command injection(source :beyondtrust)
Codex container logs demonstrating command injection (source: BeyondTrust)

This vulnerability carried a Critical rating and affected the ChatGPT website, Codex CLI, Codex SDK, and Codex IDE Extensions.

OpenAI received the responsible disclosure in December 2025 and fully patched the issue by late January 2026.

As AI coding assistants become deeply embedded in developer workflows, organizations must treat agent containers as strict security boundaries.

Development and security teams should adopt these practices:

  • Sanitize all user-controllable inputs before passing them to shell commands.
  • Never trust external provider data formats as inherently safe.
  • Audit the permissions granted to AI applications to enforce strict least privilege.
  • Monitor repositories for unusual branch names containing shell metacharacters or Unicode spaces.
  • Rotate GitHub tokens regularly and review access logs for unexpected API activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts