OpenAI Codex Had a Command Injection Bug That Could Steal Your GitHub Tokens

BeyondTrust's Phantom Labs just published a report on a command injection vulnerability in OpenAI's Codex. It's patched now, but the attack pattern matters because it's exactly the kind of thing vibe coders won't see coming. What Happened Codex runs tasks inside managed containers that clone your GitHub repo and authenticate using short-lived OAuth tokens. The vulnerability: branch names weren't sanitized before being passed to shell commands during environment setup. An attacker could craft a malicious branch name that injects arbitrary shell commands. Those commands execute inside the container with access to your GitHub token. The attack worked across: The Codex web interface The CLI The SDK IDE integrations Worse: it could be scaled. Embed a malicious payload in a branch name, and every developer who interacts with that repo through Codex gets compromised. What Could Be Stolen The GitHub OAuth tokens Codex uses aren't just read tokens. In enterprise environments where Codex has bro