OAuth tokens are frequently complicit in breaches involving AI. When researchers found an obfuscated token while examining the relationship between OpenAI Codex and GitHub, they took notice.
OpenAI Codex is an LLM designed to translate natural language prompt instructions into working source code. It is widely used by developers in their interaction with GitHub repositories for generating new code from ideas and performing pull requests.
OAuth tokens have a checkered relationship with AI. While necessary, they were the primary breach vector in the Salesloft incident during 2025 – leading to compromise in more than 700 organizations. And in March 2026, Grip Security published research into Shadow AI and OAuth tokens in SaaS apps, describing how one stolen token could cause cascading breaches across multiple companies that use the same SaaS app.
The weak link is not just the tokens, but tokens implemented with long term validity. BeyondTrust quickly discovered that the obfuscated token they found was short lived and rapidly expired. Nevertheless, it was briefly visible. The researchers decided to seek a way to extract and abuse it while it was still valid.
The cascading potential of a single stolen token across multiple accounts was no doubt inviting. In this case, the potential was to use the OAuth token to target GitHub repositories that might (especially in the case of OSS repositories) be accessed by individuals from multiple organizations. While the token was short-lived, automation could conceivably be used to first steal and then abuse the token before it expired.
BeyondTrust’s Phantom Labs researchers succeeded – including the automation necessary to compromise the multiple users interacting with a single GitHub repository. It was not an overnight research project, and it was long and complex. Full details on the research are reported in a blog.
The researchers discovered they could access tokens tied to repositories, workflows and private code, with the potential for lateral movement across companies using shared environments. Automation could provide exploitation at scale.
The discovered vulnerability ultimately stems from improper input sanitization in how Codex processed GitHub branch names during task execution. By injecting arbitrary commands through the GitHub branch name parameter, Phantom Labs discovered an attacker could execute malicious payloads inside the agent’s container and retrieve sensitive authentication tokens.
For stealth and reliability (to prove the vulnerability could be used in earnest), the researchers developed further obfuscated payload techniques using Unicode characters. This allowed malicious commands to execute without being visibly detectable in the user interface.
BeyondTrust responsibly disclosed its findings to OpenAI in late December 2025, and to its credit, OpenAI rapidly fixed all reported issues. This particular vulnerability will no longer work against OpenAI Codex. However, the research is a further demonstration of how the combination of AI and OAuth tokens will present attackers with a widening attack surface and an expanding blast radius at least through 2026.
Meanwhile, the moral of the story, according to the BeyondTrust report, is “AI coding agents are not just productivity tools. They are live execution environments with access to sensitive credentials and organizational resources. Because these agents act autonomously, security teams must understand how to govern AI agent identities to prevent command injection, token theft, and automated exploitation at scale.
“As AI agents become more deeply integrated into developer workflows, the security of the containers they run in – and the input they consume – must be treated with the same rigor as any other application security boundary. The attack surface is expanding, and the security of these environments needs to keep pace.”
Related: OpenAI Rolls Out Codex Security Vulnerability Scanner
Related: Google OAuth Flaw Leads to Account Takeover When Domain Ownership Changes
Related: Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw
Related: Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps
