AI Tools Weekly Sage logoAI Tools WeeklySage
ai-securityaclaude-codecodexai-model-hackinguser-interface-vulnerabilities

Claude Code, Copilot and Codex got hacked. Attackers went for the credentials

**AI Model Hacking: Claude Code, Copilot, and Codex Vulnerabilities Highlight AI Security...

5 min readAI Tools Weekly
Disclosure: This article contains affiliate links. We earn a commission if you purchase through our links, at no extra cost to you.

AI Model Hacking: Claude Code, Copilot, and Codex Vulnerabilities Highlight AI Security Risks

What Happened?

The recent hacks on AI platforms Claude Code, Copilot, and Codex revealed critical vulnerabilities exploited by attackers targeting user interfaces rather than the AI models themselves. BeyondTrust successfully crafted a GitHub OAuth token to steal Codex's credentials by cloning repositories with a malicious branch name containing Ideographic Space characters. Meanwhile, Claude Code was discovered on npm despite command execution limitations of 50 subcommands and file-write restrictions, bypassed by Adversa. Copilot was affected through JSON manipulation in pull requests, enabling unauthorized access.

These incidents underscore vulnerabilities in AI platform security, particularly user interface and command structures. Attackers focused on credentials, indicating risks in insufficient infrastructure security. Exploiting these entry points poses significant risks to model integrity and system control.

Why It Matters?

These incidents highlight the critical importance of securing both AI models and their underlying infrastructure. The fact that attackers were able to bypass command restrictions, file-write limitations, and JSON injection vulnerabilities suggests that platforms may prioritize model security over user-facing features. Such vulnerabilities can lead to unauthorized access to sensitive data, control of AI decision-making processes, and potential model compromise if exploit vectors are not adequately mitigated.

The risks are further amplified by the increasing sophistication of attack methods. For instance, Adversa's exploitation of Claude Code's command subcommand limitations demonstrates that even seemingly restrictive systems can be circumvented with the right ingenuity. Similarly, BeyondTrust's crafting of a malicious branch name for Codex illustrates how attackers might exploit subtle vulnerabilities in user interfaces.

The scale of these risks is particularly concerning because AI models are becoming integral to industries such as healthcare, finance, and autonomous vehicles. A breach in these systems could lead to data breaches, biased or manipulated outputs, and significant reputational damage.

How It Works?

Attackers exploited crafted tokens for Codex and command subcommand limitations for Claude Code. BeyondTrust successfully bypassed these defenses by crafting a malicious branch name that appeared identical to the standard "main" branch, allowing unauthorized access to Codex's credentials. For Claude Code, Adversa exploited command execution restrictions by chaining commands in a way that exceeded the system's 50-subcommand limit, enabling unauthorized command execution.

JSON manipulation was another key vector of attack for Copilot. Attackers were able to inject malicious JSON into pull requests, bypassing traditional authentication mechanisms and gaining unauthorized access to the platform.

Each platform leveraged different vulnerabilities, highlighting diverse attack vectors. Codex's reliance on GitHub repositories provided an entry point through its user interface, while Claude Code's command structure allowed attackers to exploit system limitations. Copilot's use of JSON in pull requests opened a backdoor for unauthorized modifications.

Examples and Use Cases?

Common Mistakes or Risks?

Inadequate securing of user interfaces, exploitable command structures, and configuration settings with limited restrictions increase risk. Platforms should prioritize fixing these vulnerabilities and enhancing infrastructure security to prevent such attacks.

One common mistake is underestimating the complexity of certain vulnerabilities. For example, Claude Code's 50-subcommand restriction may seem absolute at first glance, but Adversa demonstrated that it could be bypassed through clever command chaining. Similarly, Codex's reliance on GitHub repositories provides an entry point for attackers who may not fully understand how to exploit user interface vulnerabilities.

Another risk is assuming that attackers will act in isolation. The timing of these attacks—over nine months after discoveries were made public—suggests that attackers may have waited for the right opportunity before launching their campaigns. This could indicate a lack of immediate response from platforms, allowing attackers more time to prepare and execute their attacks.

FAQs

  1. How were these vulnerabilities discovered?
    Vulnerabilities were discovered through exploits and token crafting tools available to attackers. BeyondTrust's exploit for Codex suggests potential tools exist for similar attacks.

  2. What are the risks?
    Risks include unauthorized credential access, potential model compromise if command structures are bypassed, and the need for robust user authentication practices.

  3. How do these vulnerabilities compare to other AI models?
    Other platforms may have similar vulnerabilities but haven't been exploited yet due to lack of opportunity or prioritization by developers.

  4. What's the timeframe for these incidents?
    The timeframe indicates attackers waited over nine months before launching their campaigns, suggesting platforms may have delayed fixing vulnerabilities.

This article highlights the importance of securing both AI models and their underlying infrastructure to mitigate such risks.

Sources

Frequently Asked Questions

What happened in the Claude Code, Copilot, and Codex hacks?

The hacks revealed vulnerabilities in the user interface of Claude Code, Copilot, and Codex, allowing unauthorized access.

How were the credentials stolen by attackers?

Attackers crafted a GitHub OAuth token by cloning repositories with a malicious branch name containing Ideographic Space characters to steal Codex credentials.

Which AI models were affected by this attack?

Claude Code, Copilot, and Codex were among the AI models affected.

Why did attackers target the user interface instead of the AI models themselves?

Attackers targeted the user interface because it was easier to manipulate access points than bypass the AI model security systems.

What methods did attackers use to steal the Codex credentials?

Attackers used a malicious branch name with Ideographic Space characters to clone repositories, allowing them to obtain an OAuth token for stealing Codex credentials.