Claude Code, Copilot and Codex all got hacked. Every attacker went for the credential, not the model.
Six research teams disclosed exploits against Claude Code, Copilot, and Codex over nine months. Every attack targeted IAM tokens and OAuth keys instead of the models themselves
The Exploits Keep Coming
March 30 was a wake-up call. BeyondTrust proved that a carefully crafted GitHub branch name could force OpenAI's Codex to dump its OAuth token in cleartext. OpenAI classified the bug Critical P1. A branch name. That's all it took to expose the keys to the kingdom.
Two days later, Anthropic's Claude Code source code spilled onto the public npm registry. Within hours, researchers at Adversa found another flaw. Claude Code silently ignored its own deny rules once a command chained past fifty subcommands. These were not isolated bugs in obscure edge cases. They were the latest entries in a running tally that now spans nine months and six separate research teams.
The targets varied. Codex, Claude Code, Copilot, Vertex AI. The attack pattern did not. Every exploit pursued identity and access management instead of model weights or prompt logic. No one tried to jailbreak the neural network into writing malware. They simply reached for the credentials and walked out the door.
Why Credentials Are the Weakest Link
AI coding agents need broad access to be useful. They read your repositories, execute shell commands, and call cloud APIs. We spent years worrying about prompt injection and creative jailbreaks. The real threat turned out to be far simpler. Tricking a model into saying something toxic is hard work. Stealing its OAuth token and quietly exfiltrating code is much easier.
These tools run with the privileges of a senior engineer. They hold long-lived tokens, often with organization-wide scope. That concentration of access makes them an ideal target. Attackers do not need to outsmart the neural network. They just need to outsmart the plumbing around it.
What Builders Should Actually Do
Start with token hygiene. Audit what your AI assistants can reach. Scoped permissions, short-lived keys, and project isolation are non-negotiable if you ship production code. Your coding assistant does not need access to your entire GitHub organization, your production database, and your billing system all at once.
Managed development environments change the equation. When you build in a browser-based platform that handles git, preview, and deploy in isolated sandboxes, the AI agent never sits on your laptop holding your master SSH key. Botflow connects to GitHub through scoped OAuth and runs builds in ephemeral containers. The blast radius shrinks because the credential never touches your local filesystem.
Supply chain security was already difficult before AI agents joined the chain. Now you must treat every tool as a potential lateral movement path. Review what your AI coding tools install, where they send data, and which secrets they can read. If you would not hand those keys to a new hire without oversight, do not hand them to an agent running silently in your terminal.