# Incident Post-Mortem: Multi-Agent Credential Exfiltration Wave
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
This quickstart guide provides a step-by-step walkthrough for building, testing, and deploying AI agents using the Amazon Bedrock AgentCore CLI.
- code-based agents for full orchestration control using frameworks like LangGraph or OpenAI Agents
- managed harness preview for rapid configuration-based deployment.
- code-based agents for full orchestration control using frameworks like LangGraph or OpenAI Agents
- managed harness preview for rapid configuration-based deployment.
A zero-dependency Python CLI tool designed to provide AI coding agents with persistent session memory. It solves the problem of context window degradation and the "lost in the middle" phenomenon by allowing agents to perform efficient, read-only recalls from local SQLite session stores. Instead of burning thousands of tokens on project exploration or re-orientation, auto-memory enables targeted retrieval of recent files and task history using minimal token overhead.
Key features and technical details:
- Zero dependencies using only Python standard libraries.
- Read-only access to Copilot CLI's local SQLite database to ensure safety.
- Progressive disclosure mechanism ranging from cheap scans (~50 tokens) to full session details.
- Schema-aware design with built-in validation for tool updates.
- Compatible with GitHub Copilot CLI, Claude Code, Cursor, and other instruction-file supporting agents.
Key features and technical details:
- Zero dependencies using only Python standard libraries.
- Read-only access to Copilot CLI's local SQLite database to ensure safety.
- Progressive disclosure mechanism ranging from cheap scans (~50 tokens) to full session details.
- Schema-aware design with built-in validation for tool updates.
- Compatible with GitHub Copilot CLI, Claude Code, Cursor, and other instruction-file supporting agents.
A collection of specialized skills designed to improve how AI coding agents handle frontend development. Instead of producing generic or uninspired interfaces, these instructions enable AI tools to generate modern, premium designs characterized by high visual quality, proper spacing, and sophisticated animations. The system is framework-agnostic and works across major AI agents like Cursor, Claude Code, and GitHub Copilot via a simple CLI installation.
Main features include:
- Specialized skill variants for different design aesthetics such as soft UI, minimalist editorial styles, and brutalist interfaces.
- A three-dial parameterization system to adjust design variance, motion intensity, and visual density.
- An output-skill designed to prevent AI laziness by stopping placeholder comments and skipped code blocks.
Main features include:
- Specialized skill variants for different design aesthetics such as soft UI, minimalist editorial styles, and brutalist interfaces.
- A three-dial parameterization system to adjust design variance, motion intensity, and visual density.
- An output-skill designed to prevent AI laziness by stopping placeholder comments and skipped code blocks.
GitHub introduces Rubber Duck, an experimental feature for the GitHub Copilot CLI designed to provide a second opinion during coding tasks. By leveraging a different AI model family than the primary orchestrator—such as using GPT-5.4 to review Claude models—Rubber Duck acts as an independent reviewer to catch architectural errors, logical bugs, and cross-file conflicts that a single model might miss due to inherent training biases.
The author proposes a 5-layer framework to standardize "harness engineering":
1. **Constraint (Architecture):** Deterministic rules (linters, API contracts).
2. **Context (Dev):** Memory and knowledge injection.
3. **Execution (Platform):** Tool orchestration and sandboxing.
4. **Verification (Dev/QA):** Output validation and error loops.
5. **Lifecycle (SRE):** Monitoring, cost tracking, and recovery.
**Strategic Insight:** While platforms like Anthropic are increasingly absorbing the Context, Execution, and Lifecycle layers, developers must still own **Constraint** and **Verification**. To maximize efficiency on managed platforms, teams should prioritize deterministic constraints (Layer 1) to reduce token waste and improve reliability.
1. **Constraint (Architecture):** Deterministic rules (linters, API contracts).
2. **Context (Dev):** Memory and knowledge injection.
3. **Execution (Platform):** Tool orchestration and sandboxing.
4. **Verification (Dev/QA):** Output validation and error loops.
5. **Lifecycle (SRE):** Monitoring, cost tracking, and recovery.
**Strategic Insight:** While platforms like Anthropic are increasingly absorbing the Context, Execution, and Lifecycle layers, developers must still own **Constraint** and **Verification**. To maximize efficiency on managed platforms, teams should prioritize deterministic constraints (Layer 1) to reduce token waste and improve reliability.
The author explores the potential of running an AI agent framework on low-cost hardware by testing MimiClaw, an OpenClaw-inspired assistant, on an ESP32-S3 microcontroller. Unlike traditional AI setups, MimiClaw operates without Node.js or Linux, requiring the user to flash custom firmware using the ESP-IDF framework. The setup integrates with Telegram for interaction and utilizes Anthropic and Tavily APIs for intelligence and web searching. Despite the technical hurdles of installation and potential API costs, the project successfully demonstrates a functional, sandboxed, and low-power personal assistant capable of persistent memory and routine tracking.
This repository focuses on the concept of an "agent" as a trained model, not just a framework or prompt chain. It emphasizes building a "harness" – the tools, knowledge, and interfaces that allow the model to function effectively in a specific domain. The core idea is that the model *is* the agent, and the engineer’s role is to create the environment it needs to succeed.
The content details a 12-session learning path, reverse-engineering the architecture of Claude Code to understand how to build robust and scalable agent harnesses. It highlights the importance of separating the agent (model) from the harness, and provides resources for extending this knowledge into practical applications.
The content details a 12-session learning path, reverse-engineering the architecture of Claude Code to understand how to build robust and scalable agent harnesses. It highlights the importance of separating the agent (model) from the harness, and provides resources for extending this knowledge into practical applications.
This article details a project where the author successfully implemented OpenClaw, an AI agent, on a Raspberry Pi. OpenClaw allows the Raspberry Pi to perform real-world tasks, going beyond simple responses to actively controlling applications and automating processes. The author demonstrates OpenClaw's capabilities, such as ordering items from Blinkit, creating and saving files, listing audio files, and generally functioning as a portable AI assistant. The project utilizes a Raspberry Pi 4 or 5 and involves installing and configuring OpenClaw, including setting up API integrations and adjusting system settings for optimal performance.
This article introduces `install.md`, a proposed standard for creating installation instructions that are easily understood and executed by LLM-powered agents. The core idea is to provide a structured markdown file that details the installation process in a way that an agent can autonomously follow. This contrasts with traditional documentation geared towards human readers and allows for automated installation across various environments. The standard includes sections for product description, action prompts, objectives, verification criteria, and step-by-step instructions. Mintlify now auto-detects and generates `install.md` files for projects, offering a streamlined approach to agent-friendly documentation.
