Overview
- BeyondTrust Phantom Labs published technical details of a Codex command-injection flaw that enabled theft of GitHub OAuth tokens.
- The bug came from unsanitized Git branch names that Codex passed into shell commands during environment setup, which let attacker-supplied commands run with access to stored tokens.
- Researchers showed attackers could hide payloads with an invisible Ideographic Space in the branch name, making a malicious command look like a normal label in the UI.
- The attack path worked across the ChatGPT website, the Codex SDK, the CLI, and IDE plug-ins, and a malicious default branch could expose any developer who opened the repository through those tools.
- OpenAI says it fixed the issue after responsible disclosure, and teams are urged to audit tool permissions, trim token scopes, rotate exposed tokens, and check local auth.json files that may store credentials.