Agentic AI
,
Artificial Intelligence & Machine Learning
,
Next-Generation Technologies & Secure Development
Attackers Could Hijack Developer Machines via Tampered Config Files
OpenAI patched a command-injection flaw in its Codex CLI tool that let attackers run arbitrary commands on developer machines by hiding malicious configuration files inside code repositories.
See Also: Proof of Concept: Rethinking Identity for the Age of AI Agents
Cybersecurity firm Check Point said Monday that it disclosed the flaw to OpenAI on Aug. 7, and that the company released a fix on Aug. 20 in Codex CLI version 0.23.0. The vulnerability exploited how the terminal-based coding assistant handled project configurations, turning routine developer workflows into potential attack vectors.
Codex CLI is OpenAI’s command-line tool that brings artificial intelligence reasoning into software development. Developers use it to read, edit and execute code directly from the terminal using natural language commands. The tool extends its capabilities through the model context protocol, a standard that allows integration of external services and custom workflows.
The vulnerability centered on how Codex CLI automatically loaded and executed MCP server entries from project-local configuration files whenever developers ran the Codex command inside a repository. If a repository contained a file that redirected the tool’s configuration directory to a local folder, along with a configuration file listing MCP server commands, Codex would immediately invoke those commands at startup without user approval or validation.
Diana Kelley, CISO at AI security and governance company Noma Security, said Check Point’s research on the vulnerability, tracked as CVE-2025-61260, reflects a broader trend in AI-assisted development environments, where tools behave more like autonomous agents than like passive helpers.
“The issue stems from Codex placing automatic trust in project-level configuration,” she told Information Security Media Group. “If those files are tampered with, any developer who downloads the project and uses Codex will unknowingly trigger attacker-defined commands embedded in that configuration.”
The tool treated project-local MCP configuration as trusted execution material, with no interactive approval, secondary validation of commands or arguments, or recheck when values changed. This design turned ordinary repository files into execution vectors. An attacker who could commit or merge specific configuration files would trigger arbitrary commands on any developer who cloned the repository and ran Codex.
With no prompt, no approval step and no mechanism to recheck whether those actions have changed, “a routine developer action can silently execute attacker-controlled commands on a corporate workstation,” she said.
Kelley said that the implications extend beyond a single flaw. “We now live in a reality where configuration files can become execution vectors and AI-driven developer tooling behaves like an implicit extension of the operating system,” she said.
Check Point Research demonstrated the attack with file-creation payloads and reverse shell payloads, both of which executed without user prompts. In one demonstration, the researchers caused the calculator application to open on a victim’s machine, showing how the vulnerability could be weaponized for more serious attacks.
The flaw created persistent backdoors because trust was bound to the configuration file’s location rather than its contents. An initially innocuous configuration could be swapped for a malicious one after approval or merge, creating a stealthy supply chain backdoor that triggered during normal developer workflows.
The attack required minimal sophistication. An attacker with repository write access or the ability to submit a pull request could embed commands in configuration files. When developers cloned or updated the project and ran Codex, the malicious commands would execute immediately in the user’s security context. This gave attackers access to cloud credentials, SSH keys and source code typically stored on developer machines.
Trey Ford, chief strategy and trust officer at Bugcrowd, said Codex CLI is part of a growing class of tools showing similar security patterns. “We saw this same pattern identified in Cursor by Oasis Security in September,” he told ISMG.
As AI capabilities become more deeply embedded in development environments, vendors face an old but heightened tension: making systems frictionless for adoption while maintaining hardened, enterprise-grade defaults.
“The magic of shortening time-to-value drives adoption,” Ford said. “But as companies scale and pick up increasingly interesting users, those tradeoffs tip over and security hardening naturally becomes a priority.” He added that both vendors and adopters need to scrutinize the security posture of these tools. “The enterprise security capabilities of these development tools need a hard look, while adopting security teams should be watching these attack patterns specifically.”
The vulnerability carried supply chain implications beyond individual compromises. Contaminated starter repositories, project templates or popular open-source projects could weaponize downstream consumers with a single commit. If continuous integration systems or build agents ran Codex on checked-out code, the compromise could propagate from workstations into build artifacts and production deployments.
