# Incident Post-Mortem: Multi-Agent Credential Exfiltration Wave
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
OpenAI has officially unveiled GPT-5.5, a significant leap in large language model capabilities that emphasizes "agentic" performance in coding, scientific research, and autonomous computer use.
Available in standard and high-precision "Pro" variants for ChatGPT subscribers, the new model retakes the industry lead by outperforming rivals like Anthropic’s Claude Opus 4.7 across numerous benchmarks, including specialized terminal navigation.
While OpenAI has implemented stricter safety protocols and higher API pricing to manage its advanced reasoning capabilities, early feedback from developers and scientists suggests the model represents a fundamental shift toward AI that can execute complex, multi-step professional workflows with minimal human intervention.
Available in standard and high-precision "Pro" variants for ChatGPT subscribers, the new model retakes the industry lead by outperforming rivals like Anthropic’s Claude Opus 4.7 across numerous benchmarks, including specialized terminal navigation.
While OpenAI has implemented stricter safety protocols and higher API pricing to manage its advanced reasoning capabilities, early feedback from developers and scientists suggests the model represents a fundamental shift toward AI that can execute complex, multi-step professional workflows with minimal human intervention.
How to use AI skills—reusable packages of instructions and files—to automate repetitive data science workflows. By moving beyond simple prompting into structured skills, users can maintain shorter context windows while ensuring consistent, high-quality outputs for complex tasks like data visualization or metric investigation.
* A skill consists of a SKILL.md file with metadata and detailed instructions to guide an AI through specific recurring processes.
* Using skills helps keep the main LLM context lightweight by only loading detailed resources when they are relevant to the task.
* The author demonstrates this by automating a weekly visualization habit, reducing a one-hour manual process to less than ten minutes.
* Building effective skills requires iterative testing, incorporating personal domain knowledge, and researching external best practices.
* Combining skills with Model Context Protocol (MCP) allows AI to both follow specific procedural playbooks and access external data tools seamlessly.
* A skill consists of a SKILL.md file with metadata and detailed instructions to guide an AI through specific recurring processes.
* Using skills helps keep the main LLM context lightweight by only loading detailed resources when they are relevant to the task.
* The author demonstrates this by automating a weekly visualization habit, reducing a one-hour manual process to less than ten minutes.
* Building effective skills requires iterative testing, incorporating personal domain knowledge, and researching external best practices.
* Combining skills with Model Context Protocol (MCP) allows AI to both follow specific procedural playbooks and access external data tools seamlessly.
Schematik is a new AI-driven program designed to democratize hardware engineering by allowing users to "vibe code" physical devices. Much like Cursor has revolutionized software development through AI assistance, Schematik helps non-experts design electronics, suggests necessary components, and provides links for purchasing parts. The tool aims to lower the barrier to entry for makers while ensuring safety through low-voltage constraints.
Key points:
* Schematik functions as an assistant that guides users from concept to physical assembly.
* The startup recently secured $4.6 million in funding from Lightspeed Venture Partners.
* Anthropic has signaled interest by releasing a Bluetooth API for makers to connect hardware with Claude.
* The tool focuses on low-voltage architecture to prevent dangerous electrical failures during the learning process.
Key points:
* Schematik functions as an assistant that guides users from concept to physical assembly.
* The startup recently secured $4.6 million in funding from Lightspeed Venture Partners.
* Anthropic has signaled interest by releasing a Bluetooth API for makers to connect hardware with Claude.
* The tool focuses on low-voltage architecture to prevent dangerous electrical failures during the learning process.
A single CLAUDE.md file to improve Claude Code behavior, derived from Andrej Karpathy's observations on LLM coding pitfalls.
This article explores the "Ralph" technique, a method for using Large Language Models (LLMs) to automate software engineering through continuous, autonomous loops. Rather than seeking a perfect prompt, the author advocates for a "monolithic" approach where a single process performs one task per loop, guided by strict specifications and technical standard libraries. The author demonstrates this by using the technique to build "CURSED," a brand-new programming language, even in the absence of training data for that specific language. By managing context windows through subagents and implementing robust backpressure via testing and static analysis, the "Ralph" technique aims to significantly automate greenfield software development projects.
Rohan, a developer, analyzed the 30MB TypeScript source code of Anthropic’s Claude Code, a terminal-based AI coding agent. While praising the tool’s impressive engineering in areas like its query loop and concurrency system, he identified several architectural choices that appear problematic, particularly given Anthropic’s substantial funding. These issues include a massive single React component, extensive use of feature flags and environment variables, circular dependencies, and convoluted type handling – all indicative of a codebase that grew rapidly without sufficient architectural foresight. Despite these concerns, the tool functions well and is widely used, highlighting the prioritization of functionality over pristine code quality.
* **Giant React Component:** The main interface is a single 5,005-line React component with 227 hook calls, making it difficult to test and maintain.
* **Feature Flag Overload:** 89 feature flags are scattered throughout the code, suggesting a lack of clear product direction and increasing complexity.
* **Circular Dependencies:** 61 files contain workarounds for circular dependencies, revealing a poorly designed module structure.
* **Verbose Type Casting:** A specific type name appears 1,193 times as a cast to ensure safe logging of analytics data, creating unnecessary noise.
* **Conditional Requires & Growth:** Many issues stem from rapid growth; features were added quickly, leading to architectural debt and workarounds like conditional `require()` statements.
* **Giant React Component:** The main interface is a single 5,005-line React component with 227 hook calls, making it difficult to test and maintain.
* **Feature Flag Overload:** 89 feature flags are scattered throughout the code, suggesting a lack of clear product direction and increasing complexity.
* **Circular Dependencies:** 61 files contain workarounds for circular dependencies, revealing a poorly designed module structure.
* **Verbose Type Casting:** A specific type name appears 1,193 times as a cast to ensure safe logging of analytics data, creating unnecessary noise.
* **Conditional Requires & Growth:** Many issues stem from rapid growth; features were added quickly, leading to architectural debt and workarounds like conditional `require()` statements.
This repository contains the leaked source code of Anthropic's Claude Code CLI, which occurred on March 31, 2026, due to a .map file exposure in their npm registry. Claude Code is a terminal-based tool for software engineering tasks, including file editing, command execution, codebase searching, and Git workflow management.
The codebase is written in TypeScript and runs on Bun, utilizing React and Ink for its terminal UI. It features a robust tool system, command system, service layer, bridge system for IDE integration, and a permission system. The project incorporates several design patterns like parallel prefetching and lazy loading to optimize performance.
The codebase is written in TypeScript and runs on Bun, utilizing React and Ink for its terminal UI. It features a robust tool system, command system, service layer, bridge system for IDE integration, and a permission system. The project incorporates several design patterns like parallel prefetching and lazy loading to optimize performance.
This repository focuses on the concept of an "agent" as a trained model, not just a framework or prompt chain. It emphasizes building a "harness" – the tools, knowledge, and interfaces that allow the model to function effectively in a specific domain. The core idea is that the model *is* the agent, and the engineer’s role is to create the environment it needs to succeed.
The content details a 12-session learning path, reverse-engineering the architecture of Claude Code to understand how to build robust and scalable agent harnesses. It highlights the importance of separating the agent (model) from the harness, and provides resources for extending this knowledge into practical applications.
The content details a 12-session learning path, reverse-engineering the architecture of Claude Code to understand how to build robust and scalable agent harnesses. It highlights the importance of separating the agent (model) from the harness, and provides resources for extending this knowledge into practical applications.
Meta is heavily investing in AI integration, demonstrated through "AI Week" – intensive training sessions for employees. These weeks involve hackathons, demos, and hands-on experimentation with tools like Anthropic's Claude Code. The goal is to foster AI adoption across all job functions and seniority levels, with a focus on AI agents capable of automating tasks like coding and report generation.
Meta is also restructuring teams into AI-native "pods" and setting specific AI adoption targets. CEO Mark Zuckerberg believes 2026 will see a significant impact of AI on the way Meta employees work, despite recent layoffs and the delayed launch of its own AI model.
Meta is also restructuring teams into AI-native "pods" and setting specific AI adoption targets. CEO Mark Zuckerberg believes 2026 will see a significant impact of AI on the way Meta employees work, despite recent layoffs and the delayed launch of its own AI model.
