[Digital Today reporter Chi-gyu Hwang (황치규)] A report says a command injection vulnerability was found in OpenAI’s coding agent Codex, allowing GitHub authentication tokens to be stolen.

SiliconANGLE reported on March 30 that Phantom Labs, part of identity and access management security company BeyondTrust, said the flaw stemmed from how Codex handled a “branch name” when creating a work environment.

Codex is a coding assistant feature included in ChatGPT. It automatically performs tasks when developers prompt it to generate or review code or handle pull requests. Tasks run in a managed container environment. It clones a repository and authenticates using a short-lived GitHub OAuth token to proceed.

The report said the vulnerability began with the ability to manipulate the branch parameter during the task creation process. This made it possible to insert arbitrary commands into shell commands during the environment setup stage and execute code inside the container. The researchers said tests showed it was possible to extract the OAuth token used for repository access, then display it in task output or expose it through external network requests.

If a token is leaked, the damage may not be limited to a single repository. The report said attackers who obtain a token may have room to “move laterally” within GitHub. It said the risk is greater, especially in enterprise environments where Codex is granted broad permissions across multiple repositories and workflows.