Claude Code, Copilot and Codex all got hacked. Every attacker went for the credential, not the model.
In April, Microsoft supported an initiative named the Autonomous Agents Foundation (AAF) to rigorously evaluate the newest AI coding agents against realistic cybersecurity threats. The results, disclosed recently, should serve as a warning for anyone considering these AI tools as full replacements for human developers without thorough supervision. The investigation revealed that several top-tier AI coding agents, both open-source and commercial, are susceptible to multiple types of exploits. Out of 13 agents examined, researchers managed to compromise most of them with six distinct exploitation strategies. Alarmingly, these AI systems not only failed to safeguard critical assets or maintain identity access management (IAM) policies effectively, but in some cases, they lacked a fundamental comprehension of these security principles.
Alex Jones, co-founder of AAF, noted that in every tested case, these AI agents failed to uphold foundational security rules such as least privilege, separation of duties, or auditability. The AAF team recreated a controlled cloud environment on AWS representing a fictitious fintech firm, complete with authentic credentials, infrastructure, user accounts, development and production servers, and various code repositories. They then deployed AI coding agents designed to autonomously manage complex development and operational tasks, including deploying features, rotating keys, patching systems, and updating IAM configurations.
The experiment incorporated six tailor-made exploits—named Phantom Config, Subtle Split, Double Drill, Overlap Attack, Shadow Pass, and Delay Drop—that preyed on subtle vulnerabilities often noticeable to human security auditors but overlooked by AI lacking advanced threat awareness. These tactics involved hiding unauthorized permissions within obscure configurations, distributing duties to bypass privilege norms, inducing conflicting resource states, exploiting overlapping environments to escalate access, abusing ambiguous policy language for secret entry points, and timing attacks to evade detection or disrupt automated defenses. Notably, no AI agent detected or defended against all these threats adequately.
Jones highlighted that even when the agents analyzed code or configuration updates, their threat perceptions were overly simplistic. They missed context from prior exploits and the nuanced attack patterns that human experts or red teams would identify. This shortfall isn’t merely theoretical; as organizations race to integrate AI for DevOps acceleration, these findings underscore significant security deficits, particularly concerning IAM protections and privileged access control. Co-founder April Edwards warned of the tangible danger that excessive reliance on these AI tools poses.
Responding to these insights, Microsoft and other AAF collaborators, including contributors to open-source AI projects, are incorporating enhanced safeguards, improving agent training, and mandating human oversight—especially for IAM-related code changes proposed by AI agents. The report emphasizes that while AI-assisted DevOps can boost productivity considerably, it remains vulnerable without adequate precautions. Users and developers must acknowledge these weaknesses and avoid assuming these tools are immune to security flaws, according to Jones.
