Codex 'Auto-Review' Agent Runs Malware

OpenAI's Codex "Approve-for-me" agent approved the execution of a malicious NPM install command with elevated privileges after a prompt injection hidden in a GitHub issue comment compromised the primary Codex agent. The attack chain allowed attacker-controlled code to run unsandboxed on the user's machine with full user privileges, bypassing the AI-based guardrail designed to replace human oversight. OpenAI and Anthropic have acknowledged the risk, stating their auto-approval modes are not deterministic security guarantees and can still make mistakes in adversarial contexts.

Threat Intelligence Table of Content Codex 'Auto-review' Agent Runs Malware Malware risks from agent-based command approval modes, demonstrated on OpenAI Codex. Context context Across AI applications Codex, Claude Code, etc. , tools have begun to encourage an ‘agent in the loop’ approach, in which a second agent reviews commands issued by the first, rather than requiring human oversight. While this approach promises to enable multi-agent workflows and large-scale orchestration, it falls victim to a well-known flaw of AI-based guardrails: the guardrail agent can be influenced by prompt injections, just as the primary agent requesting commands can. In this article, we demonstrate that OpenAI’s 'Approve-for-me' agent approves the execution of a malicious NPM install command with elevated privileges, even when the main Codex agent is operating under the influence of a single concealed line in a GitHub issue from an external contributor. This is not a security vulnerability. Vendors are offering the option to accept risk by delegating the decision about when to execute sensitive actions to an agent. As stated by OpenAI, “ Approve-for-me is not a deterministic security guarantee… It can still make mistakes, especially in adversarial or unusual contexts”. Anthropic notes, “Auto mode reduces risk… but doesn't eliminate it entirely… The classifier may still allow some risky actions”. This article exemplifies a risk that is becoming increasingly pertinent as organizations move from adopting to operationalizing AI, including the use of semi-autonomous systems and always-on agents. Attack Chain on Codex attack-chain-on-codex The user asks Codex for help triaging GitHub issues, using the 'Approve-for-me' command validation mode the-user-asks-codex-for-help-triaging-github-issues-using-the-approve-for-me-command-validation-mode When Codex wants to run a command that requires network or write access outside the Codex sandbox, the request is forwarded to the Approve-for-me agent for approval. One GitHub issue is from an external contributor and contains a prompt injection hidden in an HTML comment one-github-issue-is-from-an-external-contributor-and-contains-a-prompt-injection-hidden-in-an-html-comment Codex requests elevated permissions to run the hidden install command; the 'Approve-for-me' agent approves the escalation request codex-requests-elevated-permissions-to-run-the-hidden-install-command-the-approve-for-me-agent-approves-the-escalation-request Attacker-controlled code runs unsandboxed on the user’s machine attacker-controlled-code-runs-unsandboxed-on-the-user’s-machine A post-install script in the NPM package runs immediately upon installation and executes with the user’s full privileges. How Organizations Can Disable Agentic Auto Review in Claude and Codex how-organizations-can-disable-agentic-auto-review-in-claude-and-codex Claude: claude Organization Settings Claude Code Managed settings settings.json Manage Add the following key: permissions.disableAutoMode set to “disable” . Note: This setting was previously managed by a toggle in the admin settings interface, but the toggle is being deprecated on June 5th. If your organization relies on this toggle or the toggle for ‘Bypass permissions mode on Claude Code Desktop’ , you must update the Managed Settings file to maintain the effect. Codex: codex Navigate to https://chatgpt.com/codex/cloud/settings/policies https://chatgpt.com/codex/cloud/settings/policies Upload a requirements.toml file with the following key: allowed approval reviewers = “user” . Omitting “auto reviewer” from the list of approved reviewers blocks it for Codex Local users, which covers the Desktop App, the CLI, and the IDE extension Codex Cloud operates under different restrictions .