Six Exploits.
Nine Months.
One Pattern.
VentureBeat documented six successful attacks against the world's leading AI coding agents in nine months. Every exploit followed the same playbook. The model was never the target. The credential was. This is the NHIG case file.
On April 30, VentureBeat published a forensic accounting of the most consequential nine months in the short history of agent security. Six research teams. Six exploits. Four major AI coding platforms compromised: Codex, Claude Code, GitHub Copilot, and Google Vertex AI. None of the attacks targeted the model. Every attack targeted the credential the agent was holding.
The pattern is so consistent that it reads like a single playbook executed six times: an AI coding agent holds a credential, executes an action, and authenticates to a production system without a human session anchoring the request. The model behaves correctly. The runtime behaves correctly. The credential is what fails — because no governance layer existed to scope it, rotate it, audit it, or revoke it at machine speed.
This is identity lifecycle debt expressed as breach. It is what happens when the IAM platform built to govern your employees is asked to govern the agents that now act on their behalf.
The Three Failure Categories
The six exploits cluster cleanly. Read them as a taxonomy. This is how the NHIG layer thinks about the agent attack surface.
on Agent Identities
- Vertex AI's default service identity (P4SA) ships with unrestricted read access to every Cloud Storage bucket in the project — and reach into Google-owned Artifact Registry repositories.
- Codex OAuth token exfiltrated in cleartext via a crafted GitHub branch name. OpenAI rated it Critical P1.
- Claude Code source spilled to the public npm registry with credentials still live.
at Agent Runtime
- CVE-2026-33068: Claude Code resolved permission modes from
.claude/settings.jsonbefore showing the workspace trust dialog. A malicious repo setdefaultModetobypassPermissions. The trust prompt never appeared. - Adversa demonstrated that Claude Code silently dropped deny-rule enforcement once a command exceeded fifty subcommands. The engineers had traded security for speed and stopped checking after the fiftieth.
Driving Authenticated Action
- Zenity CTO Michael Bargury demonstrated at Black Hat USA 2025 a zero-click hijack of ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein, and Cursor — all routed through a Jira MCP connector. The model was never compromised. The connector was hijacked, and the credential the agent held did the rest.
The Honest Scorecard
The question Arkion gets asked first by every CISO who reads this article is the right one to ask: would your platform have prevented these attacks? An honest answer is the only answer worth giving. We assess four of the six as preventable or containable by an NHIG layer. The other two are vendor runtime defects — patches that no governance layer would catch.
Four of six is the honest number. Anyone who claims six of six is selling. The two runtime bypasses are problems for the AI vendors to solve in their own code — and they did, in the patches that followed disclosure. The NHIG layer's job is not to fix the agent. The NHIG layer's job is to govern what the agent is allowed to do once it acts.
What This Means for the Buyer
The article makes a simpler argument than it appears to. It is not arguing that AI agents are unsafe. It is arguing that the credential plane underneath them was never designed for them. Every defense the AI vendors shipped was bypassed because the bypass routes around the model entirely. Reverse-engineering patches now takes hours; agents compress that window to seconds.
For a CISO, this changes the procurement question. The question is no longer which AI platform is most secure? Every platform is exposed at the credential layer the same way. The question is which platform governs the credentials those agents hold? That is the NHIG question. It has a different answer than the IAM question, because IAM was built for sessions anchored by humans.
Three procurement filters this article justifies
- Can your IAM platform produce a list of every AI agent identity in your environment, with the scopes each one holds, in under sixty seconds?
- If the answer is no, you are governing the 22%. The 78% is the breach surface.
- If a token exfiltrates today, what is the time from detection to revocation?
- If that time is measured in hours, the agent has already authenticated to every system that token reaches.
- For every authenticated action an agent takes, is there a cryptographic record that ties the action to a specific identity, scope, and policy decision?
- If not, the breach reconstruction will be the victim's testimony, not your logs.
Closing
Six exploits in nine months is not noise. It is signal. The pattern is durable because the architecture that produces it is durable: agents act with credentials, credentials are governed by frameworks built for humans, and the gap between what was built and what is now operating is the breach surface for the next three years.
Arkion exists for the buyer who has read this article and stopped asking whether the agents are safe — and started asking who governs them.
Field Note FN-01-2026 · Distributed under arkion.ai/field-notes
For questions or to discuss findings against your environment: research@arkion.ai
- VentureBeat, “Six exploits broke AI coding agents. IAM never saw them” — April 30, 2026.
- Gravitee, 2026 Practitioner Survey on AI Agent Identity (n=919).
- OWASP Top 10 for Agentic Applications, 2026 (ASI01–ASI10).
- BeyondTrust disclosure, Codex OAuth token exfiltration, March 30, 2026.
- Adversa Research, Claude Code deny-rule bypass disclosure.
- Zenity, Black Hat USA 2025 — Bargury demonstration.
- Anthropic security advisories: CVE-2026-33068, patches 2.0.55 / 2.1.53 / 2.1.90.
- Unit 42 (Palo Alto Networks), Vertex AI P4SA research — Ofir Shaty.