185/69 Wednesday, April 1, 2026
Researchers from BeyondTrust Phantom Labs have disclosed a critical vulnerability in OpenAI Codex that could be exploited to steal GitHub OAuth tokens. The flaw is a command injection vulnerability caused by insufficient input sanitization, allowing attackers to embed malicious commands within GitHub branch names. Notably, the attack leverages special Unicode characters-such as ideographic spaces that resemble normal whitespace-to conceal harmful payloads.
This vulnerability enables attackers to create malicious branches containing hidden code. When users or Codex interact with such branches, unintended command execution may occur, potentially exposing sensitive data such as GitHub access tokens in plain text. This could lead to repository takeover or unauthorized access to internal codebases. The impact is broad, affecting not only Codex but also related tools including ChatGPT, Codex SDK, and developer extensions. If a malicious branch is set as the default, users may become victims immediately upon interaction.
The vulnerability was reported to OpenAI on December 16, 2025, leading to an initial patch within one week and additional security improvements by late January 2026. OpenAI classified the issue as “Critical Priority 1” and confirmed that it has been fully remediated. This incident highlights the risks associated with AI tools that have high-privilege access to sensitive data and underscores the importance of robust input validation and secure usage practices in development environments.
Source https://hackread.com/openai-codex-vulnerability-steal-github-tokens/