Coding agents had credential exploits

AI coding agents are starting to look less like chatbots and more like junior engineers with keys to the building. That is the appeal. It is also the problem. The recent exploit chain across Claude Code, GitHub Copilot Agent, and Codex was not about stealing model weights or “jailbreaking” the model in some abstract way. It was about getting the agent to misuse real credentials in the environment where it runs. (oddguan.com) ### What actually got exploited? The common target was the agent’s runtime — the shell, the GitHub Action runner, the repo checkout, the API keys in environment variables, and the short-lived tokens the tool uses to do work on a developer’s behalf. In the GitHub-based attacks, malicious pull request titles, issue bodies, or comments were enough to smu(oddguan.com)sue was command injection through branch names, which could expose GitHub OAuth tokens. (oddguan.com) ### Why is that different from “the model was hacked”? Because the model is mostly the planner here. The dangerous part is the tool belt attached to it. A coding agent can read files, run shell commands, call APIs, push commits, and comment on pull requests. Once an attacker can steer those actions, the model does not need to be “broken” in the classi(oddguan.com)ions. (oddguan.com) ### What happened with Claude Code? Claude Code had a separate access-control problem around deny rules — the user-defined rules meant to block dangerous commands. Public writeups described cases where deny rules could be bypassed or fail to apply reliably, especially around command parsing and long or unusual command forms. Anthropic’s changelog now (oddguan.com)ing tied one major fix to version 2.1.90. (adversa.ai) ### Why do GitHub comments matter so much? Because they look harmless. A pull request title or issue comment feels like text, not code. But an agent reading GitHub context treats that text as part of the job. That turns comments into a control channel. The Johns Hopkins-linked research called this “Comment and Control” — a nice name for a nasty trick. An outside contributor can plant instructions(adversa.ai)tform’s own features. (oddguan.com) ### Why are credentials the real prize? A stolen token is immediately useful. It can open private repos, trigger workflows, call paid APIs, or move laterally into other systems. That is much more practical than trying to extract a model or reverse-engineer weights. Turns out the agent is just a new wrapper around an old truth in security — identity is the perimeter now. (oecd.ai) ### So what should teams change? Treat coding agents like privileged automation, not smart autocomplete. Give them narrower scopes. Separate read from write. Keep secrets out of default environments. Require explicit approval for sensitive actions. Sanitize untrusted repo content before it reaches the agent. And update fast — especially if you run Claude Code builds before the permission-rule fixes landed. (code.claude.com)he bottom line? The lesson is not that coding agents are uniquely broken. It is that they inherit every old IAM and secret-management mistake, then amplify it with autonomy. The model is not the crown jewel in these incidents. The credentials are. (venturebeat.com)