# Incident Post-Mortem: Multi-Agent Credential Exfiltration Wave
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
OpenKB is an open-source command-line system designed to transform raw documents into a structured, interlinked wiki-style knowledge base using Large Language Models. Unlike traditional RAG systems that rediscover information with every query, OpenKB compiles knowledge once into a persistent format where summaries, concept pages, and cross-references are automatically maintained and updated.
Key features and capabilities include:
- Vectorless long document retrieval powered by PageIndex tree indexing.
- Native multi-modality for understanding figures, tables, and images.
- Broad format support including PDF, Word, Markdown, PowerPoint, HTML, and Excel.
- Automated wiki compilation that creates summaries and synthesizes concepts across documents.
- Interactive chat sessions with persisted history and Obsidian compatibility via wikilinks.
- Health check tools (linting) to identify contradictions, gaps, or stale content within the knowledge base.
Key features and capabilities include:
- Vectorless long document retrieval powered by PageIndex tree indexing.
- Native multi-modality for understanding figures, tables, and images.
- Broad format support including PDF, Word, Markdown, PowerPoint, HTML, and Excel.
- Automated wiki compilation that creates summaries and synthesizes concepts across documents.
- Interactive chat sessions with persisted history and Obsidian compatibility via wikilinks.
- Health check tools (linting) to identify contradictions, gaps, or stale content within the knowledge base.
A self-hosted tool designed to manage personal or team link collections using a version-controlled YAML file. The application serves these links as a clean, searchable web page without the need for a database.
- YAML-driven configuration for easy human-readable management
- Support for grouped links and named sections
- Client-side live search functionality
- Docker-ready deployment via official images
- Responsive design optimized for mobile and desktop
- High accessibility with a 100% Lighthouse score
- Lightweight architecture built on Flask and Tailwind CSS
- YAML-driven configuration for easy human-readable management
- Support for grouped links and named sections
- Client-side live search functionality
- Docker-ready deployment via official images
- Responsive design optimized for mobile and desktop
- High accessibility with a 100% Lighthouse score
- Lightweight architecture built on Flask and Tailwind CSS
An open-source, theoretical implementation of the Claude Mythos model architecture. The project implements a Recurrent-Depth Transformer (RDT) consisting of three stages: a Prelude, a looped Recurrent Block, and a final Coda. It utilizes switchable attention between Multi-Latent Attention (MLA) and Grouped Query Attention (GQA), alongside a sparse Mixture of Experts (MoE) design to facilitate compute-adaptive reasoning in continuous latent space.
Key technical features include:
* Recurrent-Depth Transformer architecture for implicit chain-of-thought reasoning.
* LTI-stable injection parameters to prevent residual explosion during training.
* Support for multiple model scales ranging from 1B to 1T parameters.
* Integration of Adaptive Computation Time (ACT) or similar halting mechanisms to manage overthinking.
* Use of fine-grained MoE with shared experts to balance breadth and depth.
Key technical features include:
* Recurrent-Depth Transformer architecture for implicit chain-of-thought reasoning.
* LTI-stable injection parameters to prevent residual explosion during training.
* Support for multiple model scales ranging from 1B to 1T parameters.
* Integration of Adaptive Computation Time (ACT) or similar halting mechanisms to manage overthinking.
* Use of fine-grained MoE with shared experts to balance breadth and depth.
A clean-room, header-only C/C++ implementation of the Meshtastic LoRa mesh protocol designed for embedded systems. This standalone library allows devices to interoperate with the Meshtastic network without requiring heavy dependencies like Arduino, RadioLib, or FreeRTOS. It handles everything from raw LoRa byte processing to decoded messages including text, position, and telemetry data.
Key features include:
- Packet parsing and AES-256-CTR encryption/decryption
- PKI direct messages using x25519 key exchange
- Channel management and PSK expansion
- Protobuf decoding for various message types without Nanopb dependency
- Radio configuration including regional settings and modem presets
- CSMA/CA implementation for MAC protocol compliance
Key features include:
- Packet parsing and AES-256-CTR encryption/decryption
- PKI direct messages using x25519 key exchange
- Channel management and PSK expansion
- Protobuf decoding for various message types without Nanopb dependency
- Radio configuration including regional settings and modem presets
- CSMA/CA implementation for MAC protocol compliance
Personal website of Alex L. Zhang, a PhD student at MIT CSAIL focusing on the efficiency and utilization of language models. His research spans ML systems, language model benchmarks, and specialized model development.
Key areas of work include:
- Recursive Language Models (RLMs) and Project Popcorn
- GPU programming competitions via KernelBot and GPU MODE
- Benchmarking capabilities through VideoGameBench and KernelBench
- Development of models like Neo-1 and KernelLLM-8B
Key areas of work include:
- Recursive Language Models (RLMs) and Project Popcorn
- GPU programming competitions via KernelBot and GPU MODE
- Benchmarking capabilities through VideoGameBench and KernelBench
- Development of models like Neo-1 and KernelLLM-8B
A zero-dependency Python CLI tool designed to provide AI coding agents with persistent session memory. It solves the problem of context window degradation and the "lost in the middle" phenomenon by allowing agents to perform efficient, read-only recalls from local SQLite session stores. Instead of burning thousands of tokens on project exploration or re-orientation, auto-memory enables targeted retrieval of recent files and task history using minimal token overhead.
Key features and technical details:
- Zero dependencies using only Python standard libraries.
- Read-only access to Copilot CLI's local SQLite database to ensure safety.
- Progressive disclosure mechanism ranging from cheap scans (~50 tokens) to full session details.
- Schema-aware design with built-in validation for tool updates.
- Compatible with GitHub Copilot CLI, Claude Code, Cursor, and other instruction-file supporting agents.
Key features and technical details:
- Zero dependencies using only Python standard libraries.
- Read-only access to Copilot CLI's local SQLite database to ensure safety.
- Progressive disclosure mechanism ranging from cheap scans (~50 tokens) to full session details.
- Schema-aware design with built-in validation for tool updates.
- Compatible with GitHub Copilot CLI, Claude Code, Cursor, and other instruction-file supporting agents.
This article explores how a team built an AI-powered emoji list generator during a Rubber Duck Thursday live stream. The tool runs in the terminal, takes a list of bullet points, and uses AI to intelligently replace them with relevant emojis before copying the result to the clipboard.
Key highlights include:
- Use of GitHub Copilot CLI for rapid development via plan and autopilot modes.
- Integration of @opentui/core for the terminal user interface.
- Leveraging the GitHub Copilot SDK to provide intelligent emoji selection.
- Implementation of a multi-model workflow using different LLMs for planning and execution.
Key highlights include:
- Use of GitHub Copilot CLI for rapid development via plan and autopilot modes.
- Integration of @opentui/core for the terminal user interface.
- Leveraging the GitHub Copilot SDK to provide intelligent emoji selection.
- Implementation of a multi-model workflow using different LLMs for planning and execution.
NocKinematics is a modern, modular, and lightweight C++ Inverse Kinematics library designed specifically for Arduino and ESP32 microcontrollers. It utilizes the FABRIK (Forward And Backward Reaching Inverse Kinematics) algorithm to provide fast, iterative computations that are more efficient than traditional Jacobian Matrix approaches. The library is optimized for memory-constrained systems like AVR and ESP8266 by using specialized dynamic memory allocation to prevent RAM fragmentation.
Key features and topics:
* N-Joint Support for arbitrary numbers of connected joints.
* Memory-optimized architecture avoiding heavy std::vector usage.
* Platform agnostic compatibility with Arduino Uno, Nano, Mega, ESP8266, and ESP32.
* Practical implementation examples ranging from basic logic verification to multi-DOF servo motor control.
* Support for complex mechanisms like snake or tentacle simulations via the MultiJointSnake example.
Key features and topics:
* N-Joint Support for arbitrary numbers of connected joints.
* Memory-optimized architecture avoiding heavy std::vector usage.
* Platform agnostic compatibility with Arduino Uno, Nano, Mega, ESP8266, and ESP32.
* Practical implementation examples ranging from basic logic verification to multi-DOF servo motor control.
* Support for complex mechanisms like snake or tentacle simulations via the MultiJointSnake example.
A resource guide for TOPS-20AN, providing essential information and links for researchers or enthusiasts interested in this historical operating system. The page outlines effective search terms, recommended hunting grounds like bitsavers.org, and specific instructions for running various versions of TOPS-20 on KS10 or KL10 hardware.
Main topics include:
- Recommended search queries (tops20an, netwrk.mac, etc.)
- Documentation and information sources
- Links to historical code and installation/distribution tapes
Main topics include:
- Recommended search queries (tops20an, netwrk.mac, etc.)
- Documentation and information sources
- Links to historical code and installation/distribution tapes
