Español
English
Français
Português
Deutsch
Italiano
The Silent Assault on Coding AIs: It's Not the Brain, It's the Keys
In the dizzying world of artificial intelligence, where new capabilities and promises emerge every day, a pattern of cyberattacks has begun to paint a worrying, yet clear, picture of the true vulnerability of next-generation coding AIs. Names resonate strongly: Codex, Claude Code, Copilot, Vertex AI. These intelligent assistants, designed to revolutionize software development, have been the target of a coordinated series of exploits that reveal an inescapable reality: the attackers' goal is not to manipulate the model's logic, but to seize its access credentials. It's a brutally simple lesson: it's not the brain, it's the keys.
The Alarming Pattern of Recent Vulnerabilities
Recent months have witnessed a streak of incidents that, far from being isolated events, confirm a trend. On March 30, security firm BeyondTrust demonstrated an ingenious technique: a carefully crafted GitHub branch could extract Codex's OAuth token in plain text. This finding was classified as Critical P1 by OpenAI, an indication of its severity. Just two days later, the tech community was shaken by another piece of news: Anthropic's Claude Code source code was leaked to the public npm registry. What followed was even more revealing. Within hours, the company Adversa discovered that Claude Code, under certain conditions, ignored its own denial rules if a command exceeded 50 subcommands. These are not trivial errors; they are symptoms of a systemic problem.
These incidents are just the tip of the iceberg of a series of vulnerabilities that have manifested over nine months. Six different research teams have revealed exploits against Codex, Claude Code, Copilot, and Vertex AI. And, consistently, each exploit has followed the same script: an AI coding agent, endowed with a credential, executes an action and authenticates to a production system without human supervision or “anchoring” of a human session. The AI, acting autonomously with elevated privileges, becomes a direct attack vector to an organization's critical infrastructure.
The Root of the Problem: Credentials and Unattended Authentication
The persistence of this pattern underscores a fundamental truth about security in the age of AI: the weakest link often does not lie in the algorithmic complexity of the models, but in the management and use of the credentials these models employ to interact with the real world. When a coding AI is designed to interact with code repositories, project management systems, deployment environments, or databases, it needs to authenticate. If these credentials are stored insecurely, are too permissive, or are used without proper access control, they become a prime target.
The problem is exacerbated by the notion of “authentication without human session anchoring.” Traditionally, actions in production systems require the active presence of an authenticated human user, with sessions that have a limited lifecycle and are subject to MFA policies. However, AIs are designed to operate continuously and autonomously. If they are granted credentials with broad permissions and without a human validation mechanism at each critical step, they become an ideal entry point for attackers. A stolen OAuth token, an exposed API key, or a poorly managed repository secret can grant the attacker the same capabilities as the AI itself, but with malicious intent.
The Precedent of Black Hat USA 2025: An Ignored Warning
The most disturbing aspect of this series of incidents is that they are not a surprise to the security community. The attack surface we are now seeing exploited was first spectacularly demonstrated at Black Hat USA 2025. At that event, Michael Bargury, CTO of Zenity, took the stage and, with zero clicks, hijacked multiple renowned AI platforms: ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein, and Cursor, using a vulnerability in Jira MCP. The demonstration was a clear warning: the credentials these AIs use to interact with other systems are the real prize.
Nine months after that premonitory demonstration, credentials remain the primary target for attackers. This suggests that, despite the warnings, many organizations have not adapted their security practices to the pace of AI integration. The race to implement these innovative tools has, in many cases, overshadowed the thorough evaluation and mitigation of their inherent risks, especially those related to their privileged interaction with existing infrastructure.
Critical Implications for Enterprise Security
The ramifications of these types of attacks are profound and multifaceted for any enterprise integrating coding AIs into its workflows. An attacker who gains access to an AI's credentials can:
- Exfiltrate Sensitive Data: Access private code repositories, customer databases, company secrets, and other confidential information.
- Inject Malicious Code: Modify source code in development or production environments, introducing backdoors, malware, or vulnerabilities that can lead to supply chain attacks.
- Take Control of Infrastructure: Use credentials to access deployment systems, cloud servers, or CI/CD tools, escalating privileges and compromising the entire infrastructure.
- Manipulate Management Systems: As seen with Jira MCP, AIs can have access to project management systems which, if exploited, can disrupt operations or serve as a pivot for other attacks.
The trust placed in these AIs, along with the privileged access granted to them, makes them a critical point of failure if their authentication mechanisms are not robust. The attack surface is not the model itself, but the ecosystem of tools and systems with which the model interacts, mediated by credentials.
Beyond the Models: A Hidden Attack Surface
It is crucial to understand that AI security is not limited to preventing hallucinations or manipulating its internal logic. The real threat, as these incidents demonstrate, lies in its ability to act as autonomous agents within an enterprise environment. Every API connection, every integration with an external service, every code repository it accesses, represents an exposure point. The sophistication of the language model is irrelevant if its credentials allow an attacker to directly access an organization's most valuable assets. The discussion about AI security must shift from "model security" to "AI-enabled system security," where credentials are the most critical factor.
Essential Recommendations and Preventive Measures
Given this landscape, organizations must adopt a proactive and multifaceted approach to protect themselves:
- Robust Secret Management: Implement secret management solutions (such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) to securely store and rotate credentials.
- Principle of Least Privilege: Grant AIs only the strictly necessary permissions to perform their functions, and nothing more. Regularly audit and review these permissions.
- Multi-Factor Authentication (MFA) for Critical Actions: If possible, implement mechanisms that require human approval (MFA or “human-in-the-loop”) for high-risk actions performed by the AI.
- Continuous Monitoring and Anomaly Detection: Closely monitor AI activity, looking for unusual access patterns or actions that deviate from expected behavior.
- Environment Isolation: Run coding AIs in isolated environments with limited permissions, especially when interacting with production systems.
- Regular Security Audits: Conduct thorough security assessments (pentesting, code reviews) on AI integrations to identify and remediate vulnerabilities.
- Education and Awareness: Train development and operations teams on the security risks associated with AIs and the importance of credential management.
Conclusion: A Paradigm Shift in AI Security
The recent incidents involving Codex, Claude Code, and Copilot are an undeniable wake-up call. The narrative that AI is invulnerable to traditional attacks or that its risks are solely focused on its internal manipulation is flawed. The true threat, the one attackers are successfully exploiting, lies in the AI's interaction with the real world through credentials. It is time for the industry to fundamentally re-evaluate how it protects its AI-enabled systems, prioritizing identity and access management, credential security, and human oversight at critical points. Ignoring this lesson is inviting the next wave of security breaches, with potentially devastating consequences.