OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens

openai

2026-03-31 | Source: Mastodon | Original article

OpenAI’s Codex code‑generation engine harboured a hidden Unicode command‑injection flaw that could be triggered through malicious Git branch names, allowing attackers to siphon GitHub personal‑access tokens. Security researchers disclosed that the vulnerability stems from Codex’s automatic parsing of branch identifiers when it suggests code changes. By embedding a specially crafted Unicode sequence, an adversary can inject a shell command that runs on the developer’s machine or CI runner, reads the stored token and exfiltrates it to a remote server. The flaw was active in the default Codex configuration used by many IDE plugins and by OpenAI’s own Codex‑powered GitHub integration. The breach matters because a stolen token grants full read‑write access to a user’s repositories, secrets, and workflow files, opening the door to supply‑chain attacks that could compromise downstream projects. The incident follows a wave of AI‑related prompt‑injection exploits – such as the “PromptPwnd” attacks on GitHub Actions and the Shai‑Hulud 2.0 supply‑chain campaign – and underscores how AI assistants can become an unexpected attack surface in DevOps pipelines. OpenAI has released an emergency patch that sanitises branch names and disables the vulnerable code path, and it is urging developers to update to the latest Codex version, rotate all exposed tokens and audit recent commits for unauthorized changes. The company also promised a formal security advisory and a CVE identifier in the coming days. What to watch next: whether OpenAI will extend the fix to other models that share the same parsing logic, how quickly competing tools such as GitHub Copilot and Google Gemini address similar risks, and whether regulators will demand stricter AI‑code‑assistant security standards. The episode is likely to accelerate scrutiny of AI‑driven development tools and push vendors toward more robust input validation and supply‑chain hardening.

Sources

Back to AIPULSEN