Claude Code, Copilot and Codex all got hacked. Every attacker went for the credential, not the model.
```json { "title": "AI Coding Agents Hacked: Claude Code, Copilot, and Codex Exploits Exposed", "metaDescription": "Claude Code, GitHub Copilot, and OpenAI Codex all suffered critical security exploits in 2025–2026. Every attacker targeted credentials, not the AI model.", "content": "<h2>AI Coding Agent Security: Six Exploits, One Consistent Target</h2>\n\n<p>Between mid-2025 and April 2026, researchers disclosed a wave of critical vulnerabilities across the three most widely used AI coding agents — OpenAI Codex, Anthropic Claude Code, and Microsoft GitHub Copilot. The pattern that emerged was consistent and alarming: in every case, attackers went for credentials and OAuth tokens, not the underlying AI models. The exploits ranged from a hidden Unicode trick that exfiltrated GitHub tokens in cleartext, to a source code leak that enabled supply chain attacks within hours, to a hard-coded limit in Claude Code's permission engine that silently disabled every security rule a developer had configured. This is the full account of what happened, and why it matters to anyone building or shipping software in 2026.</p>\n\n<h2>The Codex Breach: A Branch Name That Stole Your GitHub Token</h2>\n\n<p>On March 30, 2026, BeyondTrust's Phantom Labs publicly disclosed a critical command injection vulnerability in OpenAI's Codex cloud environment. The flaw had been reported to OpenAI on December 16, 2025, via OpenAI's BugCrowd program. OpenAI deployed an initial hotfix by December 23, 2025, and on February 5, 2026, formally classified the vulnerability as Critical Priority 1, confirming full remediation. The three-and-a-half-month gap between disclosure and public reporting was, by industry standards, a reasonable embargo — but the nature of the exploit itself was striking.</p>\n\n<p>The attack worked by injecting arbitrary shell commands into the GitHub branch name parameter inside a task creation HTTP request sent to Codex. To conceal the malicious payload from the Codex web portal's user interface, researchers embedded 94 Ideographic Space characters — Unicode U+3000 — in the branch name. The web portal displayed only the benign-looking word "main." The hidden commands, invisible in the UI, were executed by Codex's backend and exfiltrated the victim's GitHub OAuth token in cleartext. The vulnerability affected multiple Codex interfaces simultaneously: the ChatGPT website, Codex CLI, Codex SDK, and Codex IDE Extensions.</p>\n\n<p>A secondary attack path compounded the severity. When an attacker triggered a <code>@codex</code> mention inside a GitHub pull request comment, Codex's code review container would automatically clone the malicious branch — and in doing so, exfiltrate GitHub Installation Access tokens, which carry broader organizational permissions than individual user OAuth tokens. Kinnaird McQuade, Chief Security Architect at BeyondTrust, described the consequence directly: <strong>"This granted lateral movement and read/write access to a victim's entire codebase."</strong></p>\n\n<p>Fletcher Davis, Director of Research for BeyondTrust Phantom Labs, placed the finding in a broader structural context: <strong>"This highlights a growing class of risk where automated workflows can operate outside the visibility or control of traditional security models."</strong></p>\n\n<h2>The Claude Code Leak and the 50-Subcommand Loophole</h2>\n\n<p>One day after the Codex disclosure, on March 31, 2026, Anthropic accidentally published Claude Code version 2.1.88 to the public npm registry. The release package contained a JavaScript source map file — <code>cli.js.map</code> — that was 59.8 MB in size and included approximately 513,000 lines of unobfuscated TypeScript source code across 1,906 files. Security researcher Chaofan Shou was the first to flag the exposure publicly, posting on X: <strong>"Claude code source code has been leaked via a map file in their npm registry!"</strong> That post accumulated more than 28.8 million views. The leaked codebase on GitHub surpassed 84,000 stars and 82,000 forks.</p>\n\n<p>Anthropic confirmed the exposure in a statement to BleepingComputer: <strong>"This was a release packaging issue caused by human error, not a security breach."</strong> The company said no customer data or credentials were exposed in the leak itself. But the consequences of that source code becoming public extended well beyond Anthropic's own assessment.</p>\n\n<p>The leak coincided on the same day with a separate malicious Axios npm supply chain attack, in which threat actors published trojanized packages to npm between 00:21 and 03:29 UTC on March 31, 2026. For any developer who updated Claude Code via npm that morning, the compounded risk was real. Within days, according to Zscaler ThreatLabz, threat actors were seeding trojanized Claude Code versions containing backdoors, data stealers, and cryptocurrency miners — including a Rust-based dropper that deployed Vidar Stealer and GhostSocks.</p>\n\n<p>The source code leak also handed security researchers an unexpected audit opportunity. Tel Aviv-based firm Adversa AI analyzed the leaked code and, on April 1, 2026, disclosed a second, distinct Claude Code vulnerability: a hard-coded limit inside the file <code>bashPermissions.ts</code>, at lines 2162–2178, defined by a constant named <code>MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50</code>. When a shell command contained more than 50 subcommands joined by <code>&&</code>, <code>||</code>, or <code>;</code>, Claude Code's permission engine silently ignored all developer-configured deny rules and fell back to a generic "ask" prompt instead of enforcing the configured policy.</p>\n\n<p>Adversa AI stated plainly: <strong>"The permission system is the primary security boundary between the AI agent and the developer's system."</strong> Bypassing it required nothing more exotic than chaining 51 shell subcommands in a <code>CLAUDE.md</code> file — a technique that could exfiltrate SSH keys, AWS tokens, and GitHub credentials without triggering any of the access controls a developer had set. The internal Anthropic ticket that created this limit is referenced in the source code as CC-643.</p>\n\n<p>A correct fix already existed inside Anthropic's own codebase. An internal "tree-sitter" parser handled deny rules correctly regardless of command length, but it had never been deployed to public builds. A single one-line change in <code>bashPermissions.ts</code> at line 2174 would have resolved the specific vulnerability. Anthropic patched the flaw on April 6, 2026, in Claude Code version 2.1.90, without publishing a public advisory.</p>\n\n<h2>GitHub Copilot: Three Separate Attack Surfaces in Nine Months</h2>\n\n<p>Copilot's exposure during the same period was equally broad, if more distributed across disclosure timelines.</p>\n\n<p>CVE-2025-59145, referred to as "CamoLeak" and carrying a CVSS score of 9.6, enabled theft of source code, API keys, and cloud secrets without executing any malicious code. The attack hid malicious instructions inside GitHub's invisible markdown comment syntax. GitHub patched the flaw in August 2025; it was publicly disclosed in October 2025.</p>\n\n<p>In February 2026, Orca Security's Research Pod disclosed "RoguePilot," a vulnerability in GitHub Codespaces in which attackers could craft hidden instructions inside a GitHub Issue that were automatically processed by GitHub Copilot, enabling theft of the Codespaces <code>GITHUB_TOKEN</code> secret and full repository takeover via passive prompt injection — no user interaction required beyond the Issue being viewed.</p>\n\n<p>CVE-2026-21516, a command injection vulnerability in GitHub Copilot for JetBrains with a CVSS score of 8.8, was patched by Microsoft on February 10, 2026, in version 1.5.63.</p>\n\n<p>In April 2026, The Register reported that researchers Aonan Guan and a team from Johns Hopkins University disclosed prompt injection attacks against Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot. All three vendors paid bug bounties. None assigned CVEs or published public advisories. GitHub initially described the Copilot finding as a "known issue" they "were unable to reproduce" before ultimately paying a $500 bug bounty in March 2026.</p>\n\n<p>Aonan Guan raised the transparency problem directly: <strong>"If they don't publish an advisory, those users may never know they are vulnerable – or under attack."</strong></p>\n\n<h2>Why This Matters: IAM, Adoption Scale, and a Structural Blind Spot</h2>\n\n<p>The scale of AI coding tool adoption makes the credential-targeting pattern particularly consequential. According to a 2024 GitHub survey cited by Pillar Security, 97% of enterprise developers are using generative AI coding tools. Stack Overflow's 2025 survey of 49,000 developers found 84% are using AI coding tools, with 51% doing so daily. These are not niche products used by a small population of early adopters. They are infrastructure, embedded in the daily workflows of the global developer workforce.</p>\n\n<p>The security architecture of that infrastructure has not kept pace. Palo Alto Networks' 2025 State of Cloud Security Report, drawing on insights from more than 2,800 security leaders, found that 99% of organizations reported at least one attack on their AI systems within the past year, and that 53% cite lenient identity and access management (IAM) practices as a top data security challenge. The exploits disclosed across Codex, Claude Code, and Copilot between 2025 and 2026 do not contradict that finding — they illustrate it at the product level.</p>\n\n<p>A January 2026 study found that 100% of tested AI coding assistants are vulnerable to prompt injection, with adaptive success rates above 85%. In December 2025, a researcher disclosed more than 30 flaws in AI coding tools, including a command injection flaw in OpenAI Codex CLI (CVE-2025-61260) that allows arbitrary command execution by exploiting implicit trust of MCP server entries. That research resulted in 24 CVEs being assigned and prompted security advisories from major vendors including AWS.</p>\n\n<p>The common thread across these incidents is not that AI models were manipulated into producing malicious output. It is that the systems surrounding AI agents — the OAuth integrations, the permission engines, the npm packaging pipelines, the automated workflow runners — were exploited through techniques that traditional identity and access management tools were never designed to detect. When an AI agent clones a branch, executes a shell command, or processes an instruction embedded in a GitHub Issue, the action looks like legitimate software behavior. It is invisible to IAM systems that monitor human logins and API calls, not autonomous agents acting on behalf of developers.</p>\n\n<h2>What Comes Next</h2>\n\n<p>All three vendors have patched the specific vulnerabilities described in this article. OpenAI confirmed full remediation of the Codex command injection flaw on February 5, 2026. Anthropic patched the Claude Code deny-rule bypass in version 2.1.90 on April 6, 2026. Microsoft patched CVE-2026-21516 on February 10, 2026, and GitHub patched CamoLeak in August 2025.</p>\n\n<p>What the patch record does not resolve is the disclosure question Aonan Guan raised. When vendors patch vulnerabilities without publishing advisories, developers using those tools have no mechanism to assess whether they were exposed during the window between vulnerability creation and remediation. The Johns Hopkins University team's findings — affecting three major AI coding agents, rewarded with bug bounties, and disclosed with no public CVEs — illustrate that the current responsible disclosure norms for AI agent security are inconsistent and developer-unfavorable.</p>\n\n<p>The structural challenge — AI agents operating with broad credential access in automated workflows that sit outside traditional IAM visibility — is not resolved by patching individual bugs. Each of the six research findings described here was a discrete vulnerability. The condition that made all of them dangerous was the same: AI coding agents are granted substantial access to credentials, repositories, and cloud infrastructure, while the security tooling built to monitor that access was designed for a different model of software execution entirely.</p>\n\n<p>For more tech news, visit our <a href=\"/news\">news section</a>.</p>\n\n<h2>What Developers Should Do Now</h2>\n\n<p>If you use any AI coding agent in your development workflow — whether Codex, Claude Code, GitHub Copilot, or any comparable tool — update to the latest available version immediately and audit the credential scopes those tools hold. Review any automated workflows that grant AI agents access to repository secrets, cloud tokens, or SSH keys. The vulnerabilities disclosed between 2025 and 2026 were patched, but the underlying access model that made them exploitable has not changed. Minimizing credential scope, monitoring automated agent behavior, and treating AI coding tools as part of your IAM surface area are the concrete steps the research record supports.</p>\n\n<p>At Moccet, we track how technology intersects with how people work — and few questions are more pressing right now than whether the tools meant to make developers more productive are introducing risks that undermine the safety of everything those developers build. Staying informed is the first line of defense. <a href=\"/#waitlist\">Join the Moccet waitlist</a> to stay ahead of the curve.</p>", "excerpt": "Between mid-2025 and April 2026, researchers disclosed critical vulnerabilities in OpenAI Codex, Anthropic Claude Code, and GitHub Copilot — six exploits in nine months, all targeting credentials rather than the AI models themselves. From a Unicode-hidden token theft in Codex to a hard-coded permission bypass in Claude Code, the attacks exposed a structural gap between AI agent access and traditional IAM visibility. All three vendors have patched the specific flaws, but the underlying access model remains unchanged.", "keywords": ["AI coding agent security", "Claude Code vulnerability", "OpenAI Codex exploit", "GitHub Copilot CVE", "OAuth token theft"], "slug": "ai-coding-agents-hacked-claude-code-copilot-codex-exploits" } ```