AI Code Agents: Major Security Flaws Exposed

A series of significant security vulnerabilities affecting AI coding agents, including OpenAI's Codex, Anthropic's Claude Code, GitHub Copilot, and Google's Vertex AI, have been disclosed over the past nine months. These exploits, detailed by six research teams, consistently bypassed security measures by leveraging a pattern where AI agents held credentials and authenticated to production systems without a direct human session.

Recent incidents highlighted these risks: on March 30, 2026, BeyondTrust demonstrated how a malicious GitHub branch name could exfiltrate Codex's OAuth token. Shortly after, on April 1, 2026, Claude Code's source code was found on npm, and it was discovered that the agent ignored deny rules when commands exceeded 50 subcommands. These incidents follow earlier demonstrations at Black Hat USA 2025, where AI tools were hijacked live.

Specific vulnerabilities included Codex's susceptibility to branch name manipulation for token theft and Claude Code's issues with file-write restrictions and bypassed sandbox protections. Copilot faced exploits where pull request descriptions and GitHub issues led to unauthorized shell execution and token exfiltration. Vertex AI agents were found to possess excessive default permissions, granting broad access to user data and Google's infrastructure.

Experts warn that enterprises often approve AI vendor interfaces, not the underlying systems, leaving credentials vulnerable. The speed at which threat actors reverse-engineer patches further exacerbates the risk, compressing the window for exploitation to mere hours or even seconds. Security leaders are urged to consolidate agent identities with human privileges, ensuring AI agents do not possess more access than their users.