Tech »  Topic »  A carefully crafted branch name can steal your GitHub authentication token

A carefully crafted branch name can steal your GitHub authentication token

an hour ago   techradar.com

Security researchers have discovered a command injection vulnerability in OpenAI’s Codex cloud environment that allowed attackers to steal GitHub authentication tokens using nothing more than a carefully crafted branch name.

Research from BeyondTrust Phantom Labs found the vulnerability stems from improper input sanitization in how Codex processed GitHub branch names during task execution.

By injecting arbitrary commands through the branch name parameter, an attacker could execute malicious payloads inside the agent’s container and retrieve sensitive authentication tokens that grant access to connected GitHub repositories.

Article continues below

Security experts discover critical flaw in OpenAI's Codex able to compromise entire organizationsSecurity experts flag multiple issues in Claude Code, warning, 'As AI integration deepens, security controls must evolve to match the new trust boundaries'This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know

A vulnerability in plain sight

What makes this attack ...


Copyright of this story solely belongs to techradar.com . To see the full text click HERE