BeyondTrust Phantom Labs disclosed a command injection flaw in OpenAI's Codex coding agent: branch names passed to task creation were not sanitized, allowing hidden Unicode "Ideographic Space" characters to embed arbitrary shell commands executed inside Codex's managed container during environment setup.
Researchers extracted the GitHub OAuth token used for repository access and demonstrated lateral movement across enterprise codebases. The flaw affected the Codex web interface, SDK, and IDE integrations — any surface where a @codex mention could be triggered with an attacker-controlled branch name.
In shared enterprise environments, a single malicious branch name could compromise every user interacting with the affected repository, since the injected command runs server-side in a container with valid GitHub Installation Access tokens.
Immediate action: Audit GitHub repository branch names for unexpected Unicode characters; rotate any GitHub OAuth tokens provisioned to Codex integrations; verify your Codex integration is running post-Feb 5 2026 patched version with stricter input validation and token scope controls.