DEV Community

Not Elon
Not Elon

Posted on

OpenAI Codex Had a Command Injection Bug That Could Steal Your GitHub Tokens

#openai

BeyondTrust's Phantom Labs just published a report on a command injection vulnerability in OpenAI's Codex. It's patched now, but the attack pattern matters because it's exactly the kind of thing vibe coders won't see coming.

What Happened

Codex runs tasks inside managed containers that clone your GitHub repo and authenticate using short-lived OAuth tokens. The vulnerability: branch names weren't sanitized before being passed to shell commands during environment setup.

An attacker could craft a malicious branch name that injects arbitrary shell commands. Those commands execute inside the container with access to your GitHub token.

The attack worked across:

  • The Codex web interface
  • The CLI
  • The SDK
  • IDE integrations

Worse: it could be scaled. Embed a malicious payload in a branch name, and every developer who interacts with that repo through Codex gets compromised.

What Could Be Stolen

The GitHub OAuth tokens Codex uses aren't just read tokens. In enterprise environments where Codex has broad permissions:

  • Full read/write access to repositories
  • Workflow trigger permissions (CI/CD pipelines)
  • Organization-level access depending on token scope

One compromised branch name. Every Codex user on the repo exposed.

Why This Matters for Vibe Coders

This vulnerability was found by professional security researchers at BeyondTrust. Most vibe coders:

  1. Don't review branch names for injection payloads
  2. Don't audit what permissions their AI coding tools have
  3. Don't know what an OAuth token scope even is
  4. Trust that "it's a managed container" means it's safe

The attack surface isn't your code. It's your tools.

The Bigger Picture

This dropped the same day Claude Code launched Computer Use (mouse and keyboard control). Two separate stories, same lesson:

AI coding agents are live execution environments with access to your credentials.

They're not just autocomplete. They run commands, clone repos, access tokens, and now control your screen. Every new capability is a new attack surface.

In the last 7 days:

  • LiteLLM supply chain attack hit 95M monthly downloads (TeamPCP campaign)
  • Same attacker compromised Trivy (vulnerability scanner) and KICS (IaC analyzer)
  • OpenAI Codex command injection exposed GitHub tokens
  • Claude Code gained mouse and keyboard access

The tools we trust to write and test our code are becoming the primary attack vector.

What To Do

  1. Audit your AI tool permissions. What repos can Codex access? What scope do the tokens have? Minimize to read-only where possible.
  2. Pin your dependencies. TeamPCP compromised packages that millions install without version pinning.
  3. Don't trust container isolation alone. The Codex containers had network access. "Managed" doesn't mean "secure."
  4. Scan your deployed apps. If you built it with AI tools, scan it before users find what you missed. VibeCheck is free.
  5. Check for exposed secrets. Branch names, commit messages, config files. AI tools don't flag these by default.

OpenAI patched this one. The next vulnerability in the next AI coding tool hasn't been found yet.

Building VibeCheck, a free security scanner for vibe-coded apps. Follow @solobillionsHQ for daily vibe coding security updates.

Top comments (0)