OpenAI Codex Command Injection Flaw Allowed GitHub OAuth Token Theft — Phantom Labs Research
A critical vulnerability in OpenAI Codex — silently patched in February 2026 — allowed attackers to steal GitHub OAuth tokens through command injection, potentially compromising entire enterprise organizations sharing code repositories. Full public disclosure arrived March 31, 2026, thanks to research from Phantom Labs. The Vulnerability Phantom Labs, an identity security firm, discovered that OpenAI Codex was vulnerable to command injection in its shell execution environment. An attacker who could influence the commands sent to Codex — through crafted prompts, malicious repository content, or injected tool responses — could exfiltrate the GitHub OAuth token that Codex uses to authenticate with repositories. ...