Claude Code, Copilot, and Codex All Got Hacked: Every Attacker Went for the Credentials, Not the Model.

CLAUDE CODE'S SOURCE CODE LEAK AND ITS IMPLICATIONS

On March 30, 2023, the AI landscape faced a significant blow when Anthropic's Claude Code experienced a source code leak, which was subsequently uploaded to the public npm registry. This incident raised immediate concerns regarding the security and integrity of AI coding agents. The breach not only exposed the inner workings of Claude Code but also highlighted vulnerabilities that could be exploited by malicious actors. With the source code in the wild, the risk of further attacks increases, as attackers can analyze the leaked code for weaknesses and devise new strategies to compromise the system.

The implications of this leak extend beyond just Claude Code. It serves as a wake-up call for the entire industry, emphasizing the need for robust security measures and thorough vetting of AI systems before deployment. As organizations increasingly rely on AI tools for coding and development, the security of these systems must be prioritized to prevent similar breaches in the future.

HOW ATTACKERS TARGETED CREDENTIALS IN THE CLAUDE CODE HACK

The Claude Code hack exemplifies a troubling trend in cybersecurity where attackers focus on stealing credentials rather than compromising the underlying models. In this case, the attackers leveraged a crafted GitHub branch name to extract Codex’s OAuth token in cleartext, a vulnerability that was classified as Critical P1 by OpenAI. This method of attack underscores a critical oversight in the security protocols surrounding AI coding agents.

By targeting credentials, attackers can gain unauthorized access to production systems without needing to manipulate the AI model itself. This approach not only simplifies the attack process but also raises questions about the security measures in place to protect sensitive information. The Claude Code incident illustrates how attackers can exploit seemingly minor vulnerabilities to access critical resources, emphasizing the need for organizations to implement stricter credential management practices.

THE ROLE OF CREDENTIALS IN THE CODING AGENT ATTACKS ON CLAUDE CODE AND CODEX

The recent attacks on Claude Code and Codex reveal a disturbing pattern where the exploitation of credentials plays a central role. Research teams have disclosed multiple exploits against these AI coding agents, all following a similar modus operandi: an AI coding agent holds a credential, executes an action, and authenticates to a production system without a human session anchoring the request. This lack of human oversight makes it easier for attackers to hijack these processes.

Merritt Baer, CSO at Enkrypt AI, pointed out in an exclusive interview that enterprises often mistakenly believe they have vetted AI vendors thoroughly. However, what they have actually approved is often just an interface, leaving the underlying system—and its credentials—vulnerable. This misconception can lead to severe security breaches, as seen in the cases of Claude Code and Codex. The reliance on automated processes without adequate safeguards can create significant security gaps that attackers are eager to exploit.

EXPLORING THE EXPLOITS AGAINST CLAUDE CODE, COPILOT, AND CODEX

The exploits targeting Claude Code, Copilot, and Codex have revealed a systemic issue within the security framework of AI coding agents. At the Black Hat USA 2025 conference, Zenity CTO Michael Bargury demonstrated how easily ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein, and Cursor could be hijacked with zero clicks, showcasing the vulnerabilities present in these systems. This demonstration highlighted the ease with which attackers could manipulate AI tools to gain access to sensitive information.

In the months following this demonstration, six research teams reported various exploits that targeted the same weaknesses in these AI systems. The consistent theme across these attacks was the focus on credentials rather than the models themselves. As attackers increasingly adopt this strategy, the need for enhanced security protocols becomes more pressing. Organizations must recognize that the security of their AI tools is only as strong as the protections surrounding the credentials used to access them.

LESSONS FROM THE CLAUDE CODE AND CODEX SECURITY BREACHES

The security breaches involving Claude Code and Codex offer valuable lessons for organizations leveraging AI coding agents. First and foremost, there is an urgent need to reassess the security measures in place for managing credentials. Organizations must implement stricter controls, including multi-factor authentication and regular audits of access logs, to mitigate the risks associated with credential theft.

Furthermore, the industry must move beyond viewing AI tools as standalone solutions and recognize the importance of securing the entire ecosystem, including the interfaces and underlying systems. This holistic approach to security will help organizations better protect against future breaches and ensure the integrity of their AI systems.

Finally, continuous education and awareness are essential in fostering a security-first culture within organizations. By understanding the tactics employed by attackers and the vulnerabilities present in AI coding agents, teams can better prepare for potential threats and develop strategies to safeguard their systems. The Claude Code and Codex breaches serve as a critical reminder that in the rapidly evolving landscape of AI, vigilance and proactive security measures are paramount.