GitHub Copilot Flaw Exposed Sensitive Data

A GitHub branch name was enough to steal the very token Codex used to authenticate with GitHub. On March 30, 2026, BeyondTrust Phantom Labs detailed a critical command-injection flaw in OpenAI Codex. By crafting a malicious branch name, an attacker could inject arbitrary shell commands. This didn't just affect one interface—it compromised the web app, CLI, SDK, and the IDE extension. The vulnerability turned the agent's own credentials into a liability, allowing for automated token theft across repositories. The timeline from disclosure to hardening shows the complexity of securing coding agents: → December 2025: Initial hotfix deployed. → January 2026: Iterative shell-escape hardening and restricted token access. Lessons from this breach: 🔹 Input sanitization is non-negotiable for AI agents, especially when they act as an interface between users and external platforms. 🔹 Treat your agent's credentials as high-privilege assets. If it has access to GitHub, your agent has your keys. 🔹 Hardening isn't a single patch; it requires architectural changes to limit what a compromised agent can actually touch. How do you handle credential isolation for the AI tools integrated into your dev workflow? #CyberSecurity #OpenAICodex #DevSecOps #SupplyChainSecurity #BuildInPublic

A serious security flaw in Docker Engine lets attackers bypass authorization plugins by padding a single HTTP request to more than 1MB — causing the security check to be skipped entirely while the Docker system processes the full request and creates a privileged container with root access to the host machine. This works against every authorization plugin in the ecosystem. The flaw has been patched in Docker Engine version 29.3.1. If attackers exploit this flaw to gain access to company systems, your personal data stored by businesses using Docker could be stolen or exposed. 💥 #CyberNewsLive https://lnkd.in/d4T_UDBq

Critical Vulnerability: 2-Day-Old GitHub Account Injects AI-Generated Dependency into Popular NPM Package 🛰️ [SECURITY] A new GitHub account attempted a supply chain attack on a popular NPM package. Why it matters: This incident highlights the pervasive vulnerability of open-source software supply chains to sophisticated attacks. Even seemingly innocuous performance improvements can mask malicious intent, underscoring the critical need for rigorous vetting and community oversight in widely used dependencies. 🤔 How can the open-source community scale vigilance and automated defenses to counter increasingly subtle supply chain attacks? #SupplyChainSecurity #OpenSourceSecurity #GitHubVulnerability #NPM #CyberAttack 📡 Follow DailyAIWire for high-signal AI news.

#ActiveMQ is getting exploited in the wild using a pair of bugs that, when chained, give pre-auth RCE. CVE-2026-34197 was “hiding in plain sight” for 13 years and found by Horizon3.ai’s Naveen Sunkavally – using what he described as “80% Claude with 20% gift-wrapping by a human.” It requires authentication, but there's plenty of default admin:admin pairs out there. A second ActiveMQ bug CVE-2024-32114 removes the need for authentication outright. Mercifully, it only affects deprecated versions of the software. h/t also Jonny Rivera ActiveState for flagging/comment and VulnCheck 👉 https://lnkd.in/ekU7Xs_n

Thank you Edward Targett and The Stack for featuring Jonny Rivera's thoughts in your article on VulnCheck's (Jacob Baines) recent observation of the ActiveMQ vulnerability (first uncovered by Horizon3.ai) getting exploited in the wild. "Jonny Rivera from ActiveState, a software supply chain company, commented: 'Apache ActiveMQ is in millions of enterprise stacks. He added that what makes the bugs dangerous is that many organisations don't know they're running ActiveMQ at all [it is] buried in transitive dependencies, untracked, and nowhere near their patch queue…” 🗞️ Read the full article here: https://lnkd.in/e4u3HWUh

ActiveState's Sr. Director of Product Jonny Rivera flagged what makes this particular incident worth paying attention to beyond the CVE scores themselves. Apache ActiveMQ is in millions of enterprise stacks. The problem is that many organizations do not know they are running it. It is buried in transitive dependencies, untracked, and nowhere near their patch queue. That is the part of this story that should concern security teams most. This is not a case where defenders failed to patch something they knew about. This is a case where the vulnerable component was invisible to them entirely, sitting several layers deep in a dependency chain no one had mapped. Transitive dependencies are the open source software security blind spot that scanners consistently undercount. You cannot patch what you cannot see, and you cannot see what you never inventoried. The 91% of DevSecOps leaders who report limited visibility into container components are not outliers. They are the norm, and incidents like this are the consequence. If you are a defender trying to determine your exposure right now, Horizon3.ai has published clear IOC guidance. Look for network connector activity referencing vm:// URIs with brokerConfig=xbean:http in your ActiveMQ broker logs. That pattern does not appear during normal broker operations. The broader lesson here is not about ActiveMQ specifically. It is about the class of risk that lives in the dependencies your team did not deliberately choose, has not actively tracked, and will not find until something like this surfaces it. Upgrade to Apache ActiveMQ 5.19.4 or 6.2.3 if you have not already. Then go find out what else is in your stack you did not know was there. Full breakdown via The Stack, by Edward Targett linked in the first comment. #OpenSourceSecurity #SoftwareSupplyChain #CVE #DevSecOps #CISOInsights

By now, you may have heard the code for Anthropic’s Claude Code was leaked and the culprit was none other than… Anthropic! Early reports across X.com (you know, Twitter) speculated the leak was caused by Claude Code itself, but more recent stories claim the mistake was made by good ol’ humans. Fortunately, no customer information was disclosed. However, the building included a file used in debugging that allowed the full source code to be downloaded from Cloudflare. Some have called this incident a blow for Anthropic, but other than allowing bad actors to plumb the depths of Claude Code for vulnerabilities, this is likely just a footnote in the short history of the product. It is a little ironic that the code was leaked at a time when the lack of security in generated code is becoming a hot topic. More than likely, Claude Code rewrites its codebase and we all move on. Until then, it’s good to know that humans are still involved in the deployment process and that we can still make mistakes.

Really?! How did this become “normal”? At Nexus Security Advisors, the normalization of breaches is a dangerous trend. Organizations cannot afford to treat exposed credentials, leaked tokens, and hardcoded secrets as routine fallout from modern development. In less than a year, AI-assisted coding has moved from novelty to habit. Software development is faster, more accessible, and more scalable than ever. That acceleration is creating real business value, but it is also expanding the attack surface at a pace that many organizations are not governing well. The result is sobering: millions of new hardcoded secrets have reportedly been exposed in public GitHub commits in 2025 alone, with year-over-year growth continuing in the wrong direction. This is not just a developer hygiene issue. It is a governance, risk, and leadership issue, IMHO... Organizations should be asking: • Are secrets being embedded in code, scripts, or pipelines? • Are AI-enabled development practices outpacing security review? • Do teams have strong secret scanning, vaulting, rotation, and response processes? • Is leadership treating software velocity and software assurance as equal priorities? Security can't just be an afterthought bolted onto accelerated development, and it continues to appear that it is still. Secure-by-design practices, DevSecOps discipline, and stronger oversight of AI-assisted engineering workflows are now table stakes. Nexus Security Advisors helps organizations strengthen cybersecurity governance, reduce operational risk, and improve resilience across cloud, AI, and modern software environments. #NexusSecurityAdvisors #Cybersecurity #DevSecOps #ApplicationSecurity #SecretsManagement #SecureCoding #AIcoding #SoftwareSecurity #CyberRisk #InfoSec #CyberLeadership #SecureByDesig

🚀 RCE on GitHub via a Single git push: Millions of Repos Exposed! A groundbreaking vulnerability has just been disclosed by @sagitz from Wiz. By exploiting a flaw in how GitHub handles internal protocols, researchers achieved Remote Code Execution (RCE) on both GHES and GitHub.com. (CVE-2026-3854) Technical Highlights: - The Exploit: Using git push -o, researchers injected a semicolon into internal headers, overriding security-critical fields due to a lack of sanitization. - Sandbox Escape: This injection allowed them to bypass the production sandbox and execute arbitrary binaries as the git service user. - Impact: They successfully demonstrated cross-tenant access, gaining the ability to read private repositories belonging to other users and organizations on GitHub.com. - Remediation: GitHub deployed a hotfix on the same day. All GHES customers must upgrade to 3.19.3+ immediately. A massive shoutout to the Wiz team for this incredible research and GitHub for the lightning-fast response! 🔗 Full breakdown: https://lnkd.in/d4F6wXxv #InfoSec #CyberSecurity #GitHub #CloudSecurity #RCE #VulnerabilityResearch #CVE20263854 #TechTrends

this is actually what aico-ai matches: ai-review to find issues in your code, security to make sure you're not uploading any credentials to github and team rules so the team can work at the same page