AI Coding Tools Hacked: Attackers Target Credentials, Not Models

Over nine months, six research teams exposed critical vulnerabilities in Codex, Claude Code, Copilot, and Vertex AI. Every attack followed the same pattern: AI coding agents holding credentials and authenticating to production systems without human oversight. BeyondTrust stole Codex's OAuth token via a crafted GitHub branch name, while Claude Code's source code leaked publicly and its deny rules were bypassed with 50-plus subcommands. The attack surface was first demonstrated at Black Hat USA 2025, when a security researcher hijacked five major AI platforms using Jira MCP with zero clicks. The consistent takeaway across all incidents is that attackers are not targeting AI models themselves but the credentials those agents silently hold and use.