← Latest news 
AI coding tools are getting breached by stolen credentials, not broken models, as six new exploits emerge
Technology
Published on 30 April 2026
Branch names smuggled OAuth tokens without any clicks
A new round of disclosures shows AI coding agents are failing at one core security principle: broken access control via credentials. Exploits across Codex, Claude Code, Copilot, and Vertex AI repeatedly steal OAuth or service-account tokens, then act in production without a human session binding the request. Researchers warn defenders focused on CVEs while attackers target runtime identities.
- Six exploits follow one pattern: credential theft during agent runtime
- Codex and Claude Code attacks bypassed protections via crafted inputs
- Copilot and Vertex AI failures expanded access through settings and default scopes
- Experts urge least privilege, credential governance, and faster patching
Read the full story at Venture Beat
This summarization was done by Beige for a story published on 
Venture Beat